Open code423n4 opened 1 year ago
minhquanym marked the issue as primary issue
0xShaito marked the issue as disagree with severity
Governance should not pass proposal that are harmful for the protocol and they should check the parameters carefully.
dmvt changed the severity to QA (Quality Assurance)
dmvt marked the issue as grade-b
Passing a proposal that addresses the issue, as well as not passing any proposal at all, could both have detrimental effects on the protocol. This is precisely why the update functionality exists.
There are notable concerns regarding the relationship between this issue and #90:
Pool Updates and Shutdowns: Both vulnerabilities revolve around Convex pools linked to a specific poolId
undergoing updates or shutdowns. These vulnerabilities emerge due to mishandling of these changes within the VaultController
contract.
Impacted Functionality: In both instances, users' ability to interact with the vault, deposit, and withdraw assets is affected. This issue pertains to rewards functionality, where users might lose access to their accumulated rewards if the poolId
is updated without proper handling. The second issue impacts users' ability to deposit assets into the vault and could potentially lead to challenges with liquidations and collateral management.
Risk to Users: Both vulnerabilities pose risks for users who have assets in the vault. Here, users could lose their rewards if pool updates are not managed appropriately. In issue 90, users could encounter difficulties depositing or withdrawing assets, with an added risk of improper liquidation.
Mitigation Steps: Recommended mitigation steps for both vulnerabilities include implementing checks and appropriate handling of pool updates and shutdowns. In particular, both advocate for checks before updating or utilizing a poolId
, along with effective coordination with the Convex protocol to manage transitions and updates.
In view of these aspects, I am of the opinion that this issue shares a partial relation with #90. I kindly request your consideration in acknowledging this interconnectedness.
Thank you @dmvt, for your valuable time that enlightening us with your considerations.
Your issue is well written and related to the other in terms of the fix. The difference is that your report relies on governance making a mistake, whereas the other does not. The likelihood that governance would make this mistake is what pulls yours down to QA. The validity of the scenario you describe and its impact is why it was downgraded instead of invalidated.
Lines of code
https://github.com/code-423n4/2023-07-amphora/blob/daae020331404647c661ab534d20093c875483e1/core/solidity/contracts/core/VaultController.sol#L395-L401
Vulnerability details
In
VaultController.sol#updateRegisteredErc20()
when the owner updates the poolId, it may inadvertently change the address of the Convex BaseRewardPool associated with the token, which can impact the rewards functionality and result in potential losses for users.The code responsible for handling the update is as follows:
The
updateRegisteredErc20
function allows the owner of theVaultController.sol
contract to update thepoolId
associated with an ERC20 token. This means that the contract owner can change the address of theBaseRewardPool
(named_crvRewards
in the code) associated with the token. If this update is performed without proper consideration, it could lead to a loss of funds for users who have deposited tokens into the vault and accumulated rewards in the previousBaseRewardPool
.The risk arises when the Convex protocol shuts down a pool associated with a specific
poolId
and creates a new pool with the same_tokenAddress
. If the contract owner updates thepoolId
for the corresponding ERC20 token to point to the new pool without handling the transition of user rewards properly, users may lose access to their original rewards stored in the old BaseRewardPool.Impact
Users may lose access to their original rewards.
Proof of Concept
consider the following scenario:
A user deposits tokens of token (X) into the vault and starts accumulating rewards in the
BaseRewardPool
associated withpoolId
(A).The Convex protocol shuts down a pool with
poolId
(A), associated with an ERC20 token (X). After a while the Convex protocol create a new pool withpoolId
(B).The contract owner updates the
poolId
for token (X) frompoolId
(A) topoolId
(B), pointing to a new pool created by Convex.The user tries to withdraw their deposited token amount and rewards from token (A) using the updated
poolId
(B).The withdrawal function interacts with the new
BaseRewardPool
associated with pool (B), causing the user to lose access to their original rewards stored in the oldBaseRewardPool
(pool (A)).Tools Used
VSC
Recommended Mitigation Steps
Implement checks: Before updating the
poolId
, the contract owner should check the status of the pool and ensure that it is not in shutdown mode. If the pool is in shutdown mode, the owner should not be able to update thepoolId
until no rewards still inBaseRewardPool
.Proper handling of reward transition: When updating the
poolId
, the contract should take care of properly transitioning the user's earned rewards from the oldBaseRewardPool
to the new one associated with the updatedpoolId
. This can be achieved by coordinating with the Convex protocol and ensuring a smooth transfer of rewards.Assessed type
Other