When StrategyLeverage.harvest is called and current LTV is bigger than max LTV, then function adjusts LTV of position and then flashloan is taken with FlashLoanAction.PAY_DEBT action, which means that _payDebt function will handle callback.
The function tries to understand what amount of collateral it needs to withdraw to repay flashloan and fee.
As result, in case if _swapFeeTier is not 500 this means that functionality may work incorrectly. For example it's possible that there is no 500 fee tier, or _swapFeeTier is higher, which means that swap will revert as not enough funds will be allowed to swap.
Lines of code
https://github.com/code-423n4/2024-05-bakerfi/blob/main/contracts/core/strategies/StrategyLeverage.sol#L545-L547
Vulnerability details
Proof of Concept
When
StrategyLeverage.harvest
is called and current LTV is bigger than max LTV, then function adjusts LTV of position and then flashloan is taken withFlashLoanAction.PAY_DEBT
action, which means that_payDebt
function will handle callback.The function tries to understand what amount of collateral it needs to withdraw to repay flashloan and fee.
As you can see it puts
500
as uniswap fee tier. But later during the swap it uses_swapFeeTier
to get correct pool.As result, in case if
_swapFeeTier
is not500
this means that functionality may work incorrectly. For example it's possible that there is no 500 fee tier, or_swapFeeTier
is higher, which means that swap will revert as not enough funds will be allowed to swap.Impact
Harvest functionality may now work.
Tools Used
VsCode
Recommended Mitigation Steps
Use
_swapFeeTier
variable to get quote.Assessed type
Error