requireValidAccount does not prevent the vault address itself from opening a position
Summary
requireValidAccount does not prevent a vault from opening a position in its own vault
Vulnerability Detail
requireValidAccount is called from enterVault in VaultAccountAction.sol used to ensure that:
These accounts cannot receive deposits, transfers, fCash or any other types of value transfers
Where the accounts in question are: the reserve address (aka address(0)), the VaultAccountAction contract address, and any nToken contract address. This list, however, does not include the vault address itself.
Impact
If a vault were to open a position on itself, that could cause a vault to incorrectly convert underlying assets to strategy tokens and vice versa if the vault uses token balance to determine amount and calculate value.
Arbitrary-Execution
medium
requireValidAccount
does not prevent the vault address itself from opening a positionSummary
requireValidAccount
does not prevent a vault from opening a position in its own vaultVulnerability Detail
requireValidAccount
is called fromenterVault
inVaultAccountAction.sol
used to ensure that:Where the accounts in question are: the reserve address (aka
address(0)
), theVaultAccountAction
contract address, and anynToken
contract address. This list, however, does not include the vault address itself.Impact
If a vault were to open a position on itself, that could cause a vault to incorrectly convert underlying assets to strategy tokens and vice versa if the vault uses token balance to determine amount and calculate value.
Code Snippet
https://github.com/notional-finance/contracts-v2/blob/cf05d8e3e4e4feb0b0cef2c3f188c91cdaac38e0/contracts/external/actions/ActionGuards.sol#L35-L48
Failing test case (add to
tests/stateful/vaults/test_vault_entry.py
):Tool used
Manual Review
Recommendation
Consider adding the following
require
statement toenterVault
: