Closed sherlock-admin closed 1 year ago
@weitianjie2000
BAL_TOKEN and AURA_TOKEN are added to the list of tokens to check in addition to the reward tokens returned by the LIQUIIDITY_GAUGE. If BAL or AURA are not transferred as a result of the reward claim, it would simply emit a 0 balance change for that token. There would be no other side effects of this hardcoding.
ctf_sec
high
BAL_TOKEN and AURA_TOKEN are hardcoded into the LIQUIDITY_GAUGE token reward in AuraStakingMixin.sol
Summary
BAL_TOKEN and AURA_TOKEN are hardcoded into the LIQUIDITY_GAUGE token reward in AuraStakingMixin.sol
Vulnerability Detail
BAL_TOKEN and AURA_TOKEN are hardcoded into the LIQUIDITY_GAUGE token reward in AuraStakingMixin.sol
the function assume that the token reward supported by LIQUIDITY_GAUGE must includes BAL_TOKEN and AURA_TOKEN, however, this is subject to change.
https://etherscan.io/address/0x3b8cA519122CdD8efb272b0D3085453404B25bD0?utm_source=immunefi#code
this Smart Contract - LiquidityGaugeV5 listed from Balancer immunefi bug bounty is an example.
We can see that if we read the smart contract,
https://etherscan.io/address/0x3b8cA519122CdD8efb272b0D3085453404B25bD0#readContract
the reward_count return 0.
Impact
If a list of reward token is not properly set up,
then the function
fails when we transfer the fee
Code Snippet
https://github.com/sherlock-audit/2022-09-notional/blob/main/leveraged-vaults/contracts/vaults/balancer/mixins/AuraStakingMixin.sol#L41-L48
Tool used
Manual Review
Recommendation
We recommend the project not hard code the token type, instead we read the supported directly from the contract