search

code-423n4 / 2024-04-revert-mitigation-findings

1 stars 1 forks source link

M-10 MitigationConfirmed #32

Open c4-bot-1 opened 4 months ago

c4-bot-1 commented 4 months ago

Lines of code

Vulnerability details

C4 Issue

M-10: Users's tokens stuck in AutoCompound after Vault is deactivated

Issue Details

In order for a vault to use a transformer first it must be enabled on that transformer through the setVault function that enables/disables it:

 function setVault(address _vault, bool _active) public onlyOwner {
        emit VaultChanged(_vault, _active);
        vaults[_vault] = _active;
  }

The AutoCompound transformer implements a function called withdrawLeftoverBalances that allows accounts to withdraw any leftover balances after their positions were processed. Problem was that if the vault was subsequently disabled it would DOS the withdrawal for users that transform their positions through V3Vault

Mitigation

PR-18 successfully mitigates the original issue by refactoring the setVault so that it cannot disable vaults once enabled

Conclusion

Mitigation Confirmed

c4-judge commented 4 months ago

jhsagd76 marked the issue as satisfactory