search

code-423n4 / 2023-05-xeth-findings

0 stars 0 forks source link

All the lp tokens will be stuck in the AMO2 contract if CVXStaker.withdrawAllAndUnwrap is called with sendToOperator flag #13

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-05-xeth/blob/main/src/CVXStaker.sol#L170-L179

Vulnerability details

Impact

Loss all the stEth and xEth lp tokens.

Proof of Concept

The CVXStaker.withdrawAllAndUnwrap can be called by the admin. And if the sendToOperator param is true, all the lp tokens of the CVXStaker contract (include lp tokens staked in the CVX and left in the CVXStaker itself ) will be withdrew to the operator, which is the AMO2 contract.

IBaseRewardPool(cvxPoolInfo.rewards).withdrawAllAndUnwrap(claim);
if (sendToOperator) {
    uint256 totalBalance = clpToken.balanceOf(address(this));
    clpToken.safeTransfer(operator, totalBalance);
}

There is not a function can manipulate ERC20 tokens directly in the AMO2 contract. But there are 6 functions can interact with Curve LP:

1 & 2 & 3: rebalanceUp & removeLiquidity & removeLiquidityOnlyStETH , these three functions have similar checks at the beginning:

        uint256 amoBalance = cvxStaker.stakedBalance();

        if (lpAmount > amoBalance) {
            revert LpBalanceTooLow();
        }

Because all the lp tokens in the staker have been withdrew to the AMO2 itself, so amoBalance = 0 and these three functions will always revert.

4 & 5 & 6: rebalanceDown & addLiquidity & addLiquidityOnlyStETH, these three functions have similar code for adding liquidity:

        lpOut = curvePool.add_liquidity(amounts, minLpOut);
        IERC20(address(curvePool)).safeTransfer(address(cvxStaker), lpOut);
        cvxStaker.depositAndStake(lpOut);

The lp token amount finally sent out from the AMO2 contract is from the return value of the curvePool.add_liquidity function. So these three funtions can only mint and stake new lp tokens. They are unable to control the lp tokens stuck in the contract itself.

Tools Used

Manual review

Recommended Mitigation Steps

Add an external function to stake or unwrap(remove liquidity) the lp tokens in the contract.

Assessed type

DoS

c4-judge commented 1 year ago

kirk-baird marked the issue as duplicate of #6

c4-judge commented 1 year ago

kirk-baird changed the severity to 2 (Med Risk)

c4-judge commented 1 year ago

kirk-baird marked the issue as satisfactory