code-423n4 / 2023-07-tapioca-findings

15 stars 10 forks source link

Cannot use CurveSwapper when calling compound due to mismatched data parameter #1280

Open code423n4 opened 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/Tapioca-DAO/tapioca-yieldbox-strategies-audit/blob/master/contracts/aave/AaveStrategy.sol#L192 https://github.com/Tapioca-DAO/tapioca-yieldbox-strategies-audit/blob/master/contracts/curve/TricryptoNativeStrategy.sol#L169 https://github.com/Tapioca-DAO/tapioca-yieldbox-strategies-audit/blob/master/contracts/convex/ConvexTricryptoStrategy.sol#L206 https://github.com/Tapioca-DAO/tapioca-yieldbox-strategies-audit/blob/master/contracts/curve/TricryptoLPStrategy.sol#L178

Vulnerability details

Impact

When swapper.getOutputAmount is reached swapData and a blank string, "", are passed. CurveSwappers’ getOutputAmount expects dexOptions to be an array of uint256, not a blank string, “”. As a result, the transaction will revert which will prevent these strategies from compounding.

Proof of Concept

  1. Aave strategy is deployed with CurveSwapper as its swapper
  2. A caller calls compound but the transaction reverts

Tools Used

manual

Recommended Mitigation Steps

If CurveSwapper ensure that the correct parameters are passed

Assessed type

DoS

c4-pre-sort commented 1 year ago

minhquanym marked the issue as primary issue

c4-sponsor commented 1 year ago

0xRektora marked the issue as sponsor confirmed

c4-judge commented 1 year ago

dmvt marked the issue as selected for report