search

sherlock-audit / 2023-01-derby-judging

4 stars 1 forks source link

bin2chen - setDeltaAllocationsInt() in the blacklist revert will cause the other also can not set #372

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

bin2chen

medium

setDeltaAllocationsInt() in the blacklist revert will cause the other also can not set

Summary

one protocol in the blacklist revert will cause the other also can not to be set

Vulnerability Detail

in setDeltaAllocationsInt() if _protocolNum in blacklist will revert The code is as follows:

  function setDeltaAllocationsInt(uint256 _protocolNum, int256 _allocation) internal {
    require(!controller.getProtocolBlacklist(vaultNumber, _protocolNum), "Protocol on blacklist"); //<----revert if in blacklist
    deltaAllocations[_protocolNum] += _allocation;
    deltaAllocatedTokens += _allocation;
  }

  function receiveProtocolAllocationsInt(int256[] memory _deltas) internal {
    for (uint i = 0; i < _deltas.length; i++) {
      int256 allocation = _deltas[i];
      if (allocation == 0) continue;
      setDeltaAllocationsInt(i, allocation);  //<----one in blacklist all will revert
    }

    deltaAllocationsReceived = true;
  }

If one of them is on the blacklist, all the others cannot be set Because most contracts are cyclic operation protocol lists, it is impossible to skip individually So it should be if in the blacklist, then the corresponding protocol _allocation can only be reduced and not increased such as: require(!controller.getProtocolBlacklist(vaultNumber, _protocolNum) || _allocation<=0, "Protocol on blacklist only reduced"); player can be reduced to 0

Impact

one protocol in the blacklist revert will cause the other also can not to be set

Code Snippet

https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/Vault.sol#L397

Tool used

Manual Review

Recommendation

  function setDeltaAllocationsInt(uint256 _protocolNum, int256 _allocation) internal {
-   require(!controller.getProtocolBlacklist(vaultNumber, _protocolNum), "Protocol on blacklist");
+   require(!controller.getProtocolBlacklist(vaultNumber, _protocolNum) || _allocation<=0, "Protocol on blacklist only reduced"); 
    deltaAllocations[_protocolNum] += _allocation;
    deltaAllocatedTokens += _allocation;
  }

Duplicate of #192