Closed c4-bot-7 closed 3 months ago
0xleastwood marked the issue as primary issue
The fee must be accommodated from the amount we withdraw from the vault. We keep the fee on the vault to pay the flash loan.
Need to reserve the fee because otherwise the flash loan cannot be repaid.
0xleastwood marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-05-bakerfi/blob/59b1f70cbf170871f9604e73e7fe70b70981ab43/contracts/core/strategies/StrategyLeverage.sol#L712
Vulnerability details
Vulnerability details
when user call
vault.withdraw()
will execute_repayAndWithdraw()
This method calculates
_pendingAmount
, which represents the number of assets thatAAVE
has removed this time. Current formula:_pendingAmount = ethToWithdraw = wETHAmount - repayAmount - fee
.The correct formula is
_pendingAmount = wETHAmount - repayAmount
.Because, during execution, funds are deposited and withdrawn as follows:
The above
AAVE
flow of funds has nothing to do withfee
.The
fee
is split from thewETHAmount
and given to theBalancer
to pay the fees for the flash loan, which shouldn't be counted in this formula.Impact
_pendingAmount
will eventually be used inundeploy()
:_deployedAmount -= _pendingAmount
And_deployedAmount
is used inharvest()
to calculatebalanceChange
, which affects thefee
calculation ofrebalance()
. Wrong_pendingAmount
leads to wrongfee
calculationRecommended Mitigation
Assessed type
Context