Loss of enabled-by-default yield for USDB and WETH on blast when the tokens are used in vaults.
Proof of Concept
From the provided information in the readme, all possible ERC20s are to be used. Also, the chains to deploy on includes blast
ERC20 used by the protocol Any (all possible ERC20s)
Chains the protocol will be deployed on Ethereum,Arbitrum,Base,BSC,Optimism,OtherBlast, Mantle, K2(karaks l2 based on op stack)
USDB and WETH on blash are two ERC20 tokens, and they have their yield modes set as automatic by default.
Similar to ETH, WETH and USDB on Blast is also rebasing and follows the same yield mode configurations.
However, unlike ETH where contracts have Disabled yield by default, WETH and USDB accounts have Automatic yield by default for both EOAs and smart contracts.
Vault.sol uses internal accounting to track all the tokens deposited by the users. Taking the deposit function as an example:
Users will deposit their USDB/WETH into the subsequent vaults, get minted shares in return. With the period while their tokens are locked in the vault, the vault will accrue these rebasing rewards which have been established to be automatic. The same can occur in the other deposit function and the mint function as they both get tokens into the protocol.
function deposit(uint256 assets, address to)
public
override(ERC4626, IVault)
whenFunctionNotPaused(Constants.PAUSE_VAULT_DEPOSIT)
nonReentrant
returns (uint256 shares)
{
if (assets == 0) revert ZeroAmount();
return super.deposit(assets, to);
}
So in using USDB/WETH as vault assets, the accrued yield due to automatic rebasing are lost as they cannot be claimed. Also, due to the lack of configuration for blast, there's no way to change the yield mode of the tokens.
Tools Used
Manual code review
Recommended Mitigation Steps
Add the ability to set native RebasingERC20 token to CLAIMABLE and implement a way to claim the yields.
Lines of code
https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/Vault.sol#L101 https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/Vault.sol#L86 https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/Vault.sol#L118
Vulnerability details
Impact
Loss of enabled-by-default yield for USDB and WETH on blast when the tokens are used in vaults.
Proof of Concept
From the provided information in the readme, all possible ERC20s are to be used. Also, the chains to deploy on includes blast
USDB and WETH on blash are two ERC20 tokens, and they have their yield modes set as automatic by default.
From Blast Docs
Vault.sol uses internal accounting to track all the tokens deposited by the users. Taking the
deposit
function as an example: Users will deposit their USDB/WETH into the subsequent vaults, get minted shares in return. With the period while their tokens are locked in the vault, the vault will accrue these rebasing rewards which have been established to be automatic. The same can occur in the otherdeposit
function and themint
function as they both get tokens into the protocol.So in using USDB/WETH as vault assets, the accrued yield due to automatic rebasing are lost as they cannot be claimed. Also, due to the lack of configuration for blast, there's no way to change the yield mode of the tokens.
Tools Used
Manual code review
Recommended Mitigation Steps
Add the ability to set native RebasingERC20 token to CLAIMABLE and implement a way to claim the yields.
Assessed type
Context