Closed sherlock-admin closed 1 year ago
ak1
high
When there are not enough funds, user can raise a request for withdraw for X amount and can call the withdrawAllowance() to withdraw.
withdrawAllowance()
The issue here is, user can raise request which will not give any fee in uint256 govFee = (_value * governanceFee) / 10_000;
uint256 govFee = (_value * governanceFee) / 10_000;
without paying fee ro dao user can withdraw.
https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/MainVault.sol#L149-L189
Manual Review
During the withdrawal request, check the amount can give any fee or not. If not , do not allow request.
ak1
high
withdrawalRequest can be abused by user without paying fee to dao.
Summary
When there are not enough funds, user can raise a request for withdraw for X amount and can call the
withdrawAllowance()
to withdraw.The issue here is, user can raise request which will not give any fee in
uint256 govFee = (_value * governanceFee) / 10_000;
Vulnerability Detail
Impact
without paying fee ro dao user can withdraw.
Code Snippet
https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/MainVault.sol#L149-L189
Tool used
Manual Review
Recommendation
During the withdrawal request, check the amount can give any fee or not. If not , do not allow request.