Hardcoded uniswap fee tier may cause dos of harvest functionality

[c4-bot-8]

Lines of code

https://github.com/code-423n4/2024-05-bakerfi/blob/main/contracts/core/strategies/StrategyLeverage.sol#L545-L547

Vulnerability details

Proof of Concept

When StrategyLeverage.harvest is called and current LTV is bigger than max LTV, then function adjusts LTV of position and then flashloan is taken with FlashLoanAction.PAY_DEBT action, which means that _payDebt function will handle callback.

The function tries to understand what amount of collateral it needs to withdraw to repay flashloan and fee.

        (uint256 amountIn, , , ) = uniQuoter().quoteExactOutputSingle(
            IQuoterV2.QuoteExactOutputSingleParams(ierc20A(), wETHA(), debtAmount + fee, 500, 0)
        );    

As you can see it puts 500 as uniswap fee tier. But later during the swap it uses _swapFeeTier to get correct pool.

        uint256 output = _swap(
            ISwapHandler.SwapParams(
                ierc20A(),
                wETHA(),
                ISwapHandler.SwapType.EXACT_OUTPUT,
                amountIn,
                debtAmount + fee,
                _swapFeeTier,
                bytes("")
            )
        );

As result, in case if _swapFeeTier is not 500 this means that functionality may work incorrectly. For example it's possible that there is no 500 fee tier, or _swapFeeTier is higher, which means that swap will revert as not enough funds will be allowed to swap.

Impact

Harvest functionality may now work.

Tools Used

VsCode

Recommended Mitigation Steps

Use _swapFeeTier variable to get quote.

        (uint256 amountIn, , , ) = uniQuoter().quoteExactOutputSingle(
            IQuoterV2.QuoteExactOutputSingleParams(ierc20A(), wETHA(), debtAmount + fee, _swapFeeTier, 0)
        );    

Assessed type

Error

[c4-judge]

0xleastwood marked the issue as duplicate of #34

[c4-judge]

0xleastwood marked the issue as satisfactory

[c4-judge]

0xleastwood changed the severity to 3 (High Risk)