Withdraw sequence entry is being deleted in AssetManager's removeAdapter() using incorrect index, so the sequence array becomes corrupted and withdrawals can end up unavailable.
Vulnerability Detail
index used for adapter removal is determined for moneyMarkets array, but applied to withdrawSeq as well, while in there indices do differ.
Impact
As withdrawals logic are based on withdraw sequence array, the withdrawals can end up unavailable. For example, if 95% of the funds are held in a market, whose entry corresponded to the index removed, withdrawals will be frozen for an arbitrary time for the whole protocol until withdrawSeq be manually restored.
Code Snippet
removeAdapter() determines the index for moneyMarkets array:
/**
* @dev Set withdraw sequence
* @param newSeq priority sequence of money market indices to be used while withdrawing
*/
function setWithdrawSequence(uint256[] calldata newSeq) external override onlyAdmin {
if (newSeq.length != moneyMarkets.length) revert NotParity();
withdrawSeq = newSeq;
}
So index in withdrawSeq being deleted do not generally correspond to the adapter, i.e. some other market end up being removed:
hyh
medium
Market adapter removal corrupts withdraw sequence
Summary
Withdraw sequence entry is being deleted in AssetManager's removeAdapter() using incorrect index, so the sequence array becomes corrupted and withdrawals can end up unavailable.
Vulnerability Detail
index
used for adapter removal is determined formoneyMarkets
array, but applied towithdrawSeq
as well, while in there indices do differ.Impact
As withdrawals logic are based on withdraw sequence array, the withdrawals can end up unavailable. For example, if 95% of the funds are held in a market, whose entry corresponded to the
index
removed, withdrawals will be frozen for an arbitrary time for the whole protocol untilwithdrawSeq
be manually restored.Code Snippet
removeAdapter() determines the
index
formoneyMarkets
array:https://github.com/sherlock-audit/2023-02-union/blob/main/union-v2-contracts/contracts/asset/AssetManager.sol#L435-L463
But
withdrawSeq
is a permutation ofmoneyMarkets
, so their indices are independent and do not correspond to each other:https://github.com/sherlock-audit/2023-02-union/blob/main/union-v2-contracts/contracts/asset/AssetManager.sol#L136-L143
So
index
inwithdrawSeq
being deleted do not generally correspond to the adapter, i.e. some other market end up being removed:https://github.com/unioncredit/union-v2-contracts/blob/49d1a7261a7be20fe77b91a8a73e3cba8bc5bda5/contracts/asset/AssetManager.sol#L464-L465
Tool used
Manual Review
Recommendation
Consider repeating the entry finding logic for
withdrawSeq
, for example:https://github.com/sherlock-audit/2023-02-union/blob/main/union-v2-contracts/contracts/asset/AssetManager.sol#L435-L463