Description:Description\
It is possible to deposit LP directly into the CvgFraxLpLocker without locking without being charged any fees. All other deposit methods are charged fees when depositiing without locking and the Natspec comments for this function also specify that fees should be taken.
@param isLock lock directly into the cvgConvexVault, if false some fees are taken
/**
* @notice Deposit LP directly (for example eUSD/FRAXBP : deposit with eUSD/FRAXBP token).
* @param amountLp of the LP to deposit
* @param isLock lock directly into the cvgConvexVault, if false some fees are taken
* @param receiver address
*/
function depositLp(uint256 amountLp, bool isLock, address receiver) external returns (uint256) {
(address operator, address _receiver) = _compliance(receiver);
//transferFrom curveLp to here
curveLp.transferFrom(operator, address(this), amountLp);
//deposit CurveLp and Mint cvgFraxLp to receiver
_depositLpAndMint(amountLp, isLock, _receiver); // @audit no fees are taken
return amountLp;
}
Attack Scenario\
No attack, contract just does not work as documented.
However this does reduce the amount of processing fees a user can claim when calling increaseLock()
Attachments
Proof of Concept (PoC) File
See above, no fees are deducted
Revised Code File (Optional)
function depositLp(uint256 amountLp, bool isLock, address receiver) external returns (uint256) {
(address operator, address _receiver) = _compliance(receiver);
//transferFrom curveLp to here
curveLp.transferFrom(operator, address(this), amountLp);
if (!isLock) {
amountLp -= (amountLp * feesForNonLocker) / DENOMINATOR;
}
//deposit CurveLp and Mint cvgFraxLp to receiver
_depositLpAndMint(amountLp, isLock, _receiver);
return amountLp;
}
PlamenTSV
commented
6 months ago
Github username: -- Twitter username: -- Submission hash (on-chain): 0x353c56879610775e85c2f5fcba3dc0dfc47bf189178178d8bca6fc864db80b6e Severity: low
Description: Description\ It is possible to deposit LP directly into the
CvgFraxLpLockerwithout locking without being charged any fees. All other deposit methods are charged fees when depositiing without locking and the Natspec comments for this function also specify that fees should be taken.@param isLock lock directly into the cvgConvexVault, if false some fees are takenAttack Scenario\ No attack, contract just does not work as documented.
However this does reduce the amount of processing fees a user can claim when calling
increaseLock()Attachments
Proof of Concept (PoC) File See above, no fees are deducted
Revised Code File (Optional)