Migrator contract lacks sufficient permissions over vault positions
Summary
The migrator contract lacks sufficient permissions over vault shares to successfully perform migration.
Vulnerability Detail
Since vault potentially holds an Alchemix position over a long time during which changes at Alchemix could happen, the migration_admin has complete control over the vault and its position after giving depositors a 30 day window to liquidate (or transfer with a flashloan) their position if they're not comfortable with the migration.
We see that all that migrate() does is to trigger the migrate() function on the migration contract. However, no permissions over the vault's shares were given to the migration contract to enable it to say, liquidate to underlying or yield tokens. It also goes against what was intended, that is, "complete control over the vault and its position".
@external
def migrate():
"""
@notice
Calls migrate function on the set migrator contract.
This is just in case there are severe changes in Alchemix that
require a full migration of the existing position.
"""
assert self.migration_active <= block.timestamp, "migration not active"
assert self.migration_executed == False, "migration already executed"
self.migration_executed = True
Migrator(self.migrator).migrate()
Impact
Funds / positions cannot be successfully migrated due to lacking permissions.
hickuphh3
medium
Migrator contract lacks sufficient permissions over vault positions
Summary
The migrator contract lacks sufficient permissions over vault shares to successfully perform migration.
Vulnerability Detail
We see that all that
migrate()
does is to trigger themigrate()
function on the migration contract. However, no permissions over the vault's shares were given to the migration contract to enable it to say, liquidate to underlying or yield tokens. It also goes against what was intended, that is, "complete control over the vault and its position".Impact
Funds / positions cannot be successfully migrated due to lacking permissions.
Code Snippet
https://github.com/sherlock-audit/2023-02-fair-funding/blob/main/fair-funding/contracts/Vault.vy#L545-L556
Tool used
Manual Review
Recommendation
In addition to invoking the
migrate()
function, consider callingapproveWithdraw()
on the migrator contract for all of the vault's shares. https://alchemix-finance.gitbook.io/v2/docs/alchemistv2#approvewithdrawAlso consider using
raw_call()
for this function call because the currentalchemist
possibly reverts, bricking the migration process entirely.