search

sherlock-audit / 2023-01-derby-judging

4 stars 1 forks source link

imare - Deposits and withdrawal can be blocked by anyone #373

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

imare

medium

Deposits and withdrawal can be blocked by anyone

Summary

Vaults have a modifier onlyWhenVaultIsOn that checks if a vault is enabled. In the case a vault is disabled then withdrawal and deposits for such vault are denied/reverted.

XChainController#sendFeedbackToVault its a method that can be called by anyone and can disable a targeted vault.

Vulnerability Detail

By calling this method:

https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/XChainController.sol#L247-L255

we can make the modifier

https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/MainVault.sol#L75-L79

revert on deposits/withdrawals.

Impact

Anyone can block withdrawal/deposits from a vault

Code Snippet

https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/XChainController.sol#L247-L255

Tool used

Manual Review

Recommendation

Have an access guard on XChainController#sendFeedbackToVault for example like onlyGuardian.

mister0y commented 1 year ago

ChainId can be switched off by sendFeedbackToVault; incorrect because "vaults[_vaultNumber].chainIdOff[_chainId]" is set by "settleCurrentAllocation" which is internal. The function 'sendFeedbackToVaultreads out the variablevaults[_vaultNumber].chainIdOff[_chainId]and callssettleCurrentAllocation` crosschain.