When a transfer failure occurs, the claiming of rewards will fail. This causes the value of the vault shares to be stuck and not increase.
Vulnerability Detail
Note: This issue only affects MetaStable2 and Boosted3 balancer leverage vaults
The claimRewardTokens function will be triggered to claim the reward tokens from the Aura Reward Pool on behalf of the vault. The code will loop through all the reward tokens it receives and attempt to transfer a certain percentage of the accrued reward to FEE_RECEIVER as fees at Line 78 below. However, a single token transfer revert will cause the reward claim to fail.
Token transfers can fail due to various reasons:
Account address got ERC-20 token funds frozen/paused (e.g. USDC blacklist) OR malicious user sending funds from sanctioned protocol (e.g. Tornado Cash) to the vault in an attempt to get the vault into a blacklist
ERC-20 token contract is paused in general
The gas costs for the needed operations for transferring the assets increase in the future.
Claiming rewards is one of the most critical components of Balancer vaults because the vault depends solely on claiming the rewards and selling them to obtain more BPT to increase the value of the vault shares. If reward claims stop working, the value of the vault shares will be stuck and will not increase.
It is recommended to adopt a withdrawal pattern where the fees are accumulated within the vault, and the FEE_RECEIVER can withdraw the accumulated fees from the vault at a later time.
Alternatively, use try-catch logic to filter out pausable error cases or implement partial reward claims if possible.
xiaoming90
medium
Claim Rewards Can Fail Due To Transfer Failure
Summary
When a transfer failure occurs, the claiming of rewards will fail. This causes the value of the vault shares to be stuck and not increase.
Vulnerability Detail
The
claimRewardTokens
function will be triggered to claim the reward tokens from the Aura Reward Pool on behalf of the vault. The code will loop through all the reward tokens it receives and attempt to transfer a certain percentage of the accrued reward toFEE_RECEIVER
as fees at Line 78 below. However, a single token transfer revert will cause the reward claim to fail.Token transfers can fail due to various reasons:
https://github.com/sherlock-audit/2022-09-notional/blob/main/leveraged-vaults/contracts/vaults/balancer/mixins/AuraStakingMixin.sol#L61
Impact
Claiming rewards is one of the most critical components of Balancer vaults because the vault depends solely on claiming the rewards and selling them to obtain more BPT to increase the value of the vault shares. If reward claims stop working, the value of the vault shares will be stuck and will not increase.
Code Snippet
https://github.com/sherlock-audit/2022-09-notional/blob/main/leveraged-vaults/contracts/vaults/balancer/mixins/AuraStakingMixin.sol#L61
Tool used
Manual Review
Recommendation
It is recommended to adopt a withdrawal pattern where the fees are accumulated within the vault, and the
FEE_RECEIVER
can withdraw the accumulated fees from the vault at a later time.Alternatively, use try-catch logic to filter out pausable error cases or implement partial reward claims if possible.