Closed c4-bot-10 closed 9 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as duplicate of #185
0xA5DF marked the issue as not a duplicate
Hey @viraj124 This one as well if possible, similar to #59 but seems to talk about a different issue
@0xA5DF the pool will always use the weth token only that is a given so we can close I think
viraj124 (sponsor) disputed
Thanks! I agree with the sponsor, this is documented at the top of the contract as well:
/**
* @notice
* curve tricrypto adapter contract enabling swapping, adding liquidity & removing liquidity for the curve usdt-wbtc-eth pool
*/
0xA5DF marked the issue as unsatisfactory: Invalid
0xA5DF removed the grade
0xA5DF marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-11-shellprotocol/blob/485de7383cdf88284ee6bcf2926fb7c19e9fb257/src/adapters/CurveTricryptoAdapter.sol#L99-L104
Vulnerability details
Impact
For some of Curve's Tricrypto pools,
CurveTricryptoAdapter
will not be working.Proof of Concept
In
CurveTricryptoAdapter
contract, it assumes that the last token of tricrypto pools are one of WETH smart contracts so it just overwrites token data with Ocean's predefined token id for WETH to avoid duplication of different WETH tokens. However, some of Curve's Tricrypto pools do not include WETH in their token list including TryLSD(wstETH + rETH + sfrxETH) and TricrpytoLLAMA(crvUSD + tBTC + wstETH).As a result, CurveTricryptoAdapter's logic like Deposit, Swap, and Withdraw does not work because it expectes ETH but actually other LSTs are processed.
Tools Used
Manual Review
Recommended Mitigation Steps
Check if last token of Curve's Tricrypto pool is one of WETH tokens, if it is, follow current logic which sets
use_eth
to True, otherwise, setuse_eth
to False.Assessed type
Context