The protocol is doing external calls on curve pools as a security measures. However the calls are done in an unsafe manner, this is important as every curve pool have different code and they are not standardized.
Multiple problems can arise form unsafe external calls threated this way:
Execution will fail however the transaction will not revert as the failed execution will only return a false.
The returned data amount is bigger then what the stack can hold and it will run in an out of gas scenario.
Impact
Posibile DOS or other unexpected events as transaction failing but call have succeded.
Proof of Concept
Tools Used
Manual Review
Recommended Mitigation Steps
Wrap the call to curve pools in a YUL low level external call OR
Wrap the call to curve pools in a function similar to _callOptionalReturn that you are already using for tokens transfers and validate the returned data
Lines of code
https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WiseSecurity/WiseSecurity.sol#L193-L232 https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WiseSecurity/WiseSecurity.sol#L225-L227
Vulnerability details
The protocol is doing external calls on curve pools as a security measures. However the calls are done in an unsafe manner, this is important as every curve pool have different code and they are not standardized. Multiple problems can arise form unsafe external calls threated this way:
Impact
Posibile DOS or other unexpected events as transaction failing but call have succeded.
Proof of Concept
Tools Used
Manual Review
Recommended Mitigation Steps
Assessed type
Context