Closed sherlock-admin closed 1 year ago
It's not clear what internal account issues this would cause? Users cannot enter the settlement window once a single settlement has occurred. I would consider this issue invalid unless a specific internal account issue can be identified.
Agreed. While this may be semantically un-intuitive, it doesn't cause any real issue because users can't enter the vault after settlement proceedings have actually begun and that's what matters.
xiaoming90
medium
Users Can Enter Balancer Vault Within Settlement Period
Summary
Users are not allowed to enter the vault within the settlement windows. However, it was observed that it is possible for a user to enter the vault within the settlement window.
Vulnerability Detail
For Balancer-related vaults, assume that the vault will mature on Day 10, then the settlement window is
Maturity date (day 10) - 3 days settlement period
, which means that the settlement window is from Day 8 to Day 10. As per the comment on Line 70 below, no one is allowed to enter the vault within the settlement window.https://github.com/sherlock-audit/2022-09-notional/blob/main/leveraged-vaults/contracts/vaults/Boosted3TokenAuraVault.sol#L64
However, per the check at Line 55 below, a user can enter the vault as long as it has not passed the maturity day (Day 10) yet. Therefore, it is possible for a user to enter the vault within the settlement window.
https://github.com/sherlock-audit/2022-09-notional/blob/main/contracts-v2/contracts/external/actions/VaultAccountAction.sol#L34
Impact
Allowing users to enter a vault within the settlement windows essentially break the specification/requirement of allowing no one to enter the vault within the settlement window. It will cause internal accounting issues within the vault if this happens.
Code Snippet
https://github.com/sherlock-audit/2022-09-notional/blob/main/leveraged-vaults/contracts/vaults/Boosted3TokenAuraVault.sol#L64 https://github.com/sherlock-audit/2022-09-notional/blob/main/contracts-v2/contracts/external/actions/VaultAccountAction.sol#L34
Tool used
Manual Review
Recommendation
It is recommended that no one is allowed to enter the vault within the settlement window under any circumstance. The settlement window is from
maturity - SETTLEMENT_PERIOD_IN_SECONDS
tomaturity
.