Closed sherlock-admin closed 1 year ago
I don't believe there is any reason why the vault should be allowed to callback into exitVault
inside a transaction. The vault should not be able to initiate larger exits than the user has requested.
The re-entrancy flag exits primarily for vaults that want to re-enter notional in order to initiate a new lending position (not to exit or enter other vaults).
xiaoming90
medium
Reentrancy flag is not supported when exiting vault
Summary
When the vault attempts to re-enter the
exitVault()
function, it will always revert due to the flash-loan/MEV mitigation control.Vulnerability Detail
When the
enterVault()
,rollVaultPosition()
, andexitVault()
functions are called, they trigger thesettleAccountOrAccruePrimeCashFees()
function.https://github.com/sherlock-audit/2023-03-notional-0xleastwood/blob/main/contracts-v2/contracts/internal/vaults/VaultAccount.sol#L487
The
settleAccountOrAccruePrimeCashFees()
function will in turn call theassessVaultFees()
function followed by thecalculateVaultFees()
function.https://github.com/sherlock-audit/2023-03-notional-0xleastwood/blob/main/contracts-v2/contracts/internal/vaults/VaultConfiguration.sol#L257
Within the
calculateVaultFees
function, it will updatevaultAccount.lastUpdateBlockTime
toblock.timestamp
at Line 257 above.The purpose of enabling the re-entrancy flag on a vault is to allow the vault to callback to Notional for a second time to carry out the necessary actions (e.g.
enterVault
,rollVaultPosition
, andexitVault
).However, it was observed that the re-entrancy flag would not work for the
exitVault
function. Assume the following scenario:1) Someone calls the
enterVault
,rollVaultPosition
, andexitVault
functions 2) ThesettleAccountOrAccruePrimeCashFees
function will be called, andvaultAccount.lastUpdateBlockTime
is set toblock.timestamp
3) Notional pass the control to the Strategy Vault 4) The Strategy Vault performs some actions and callback to Notional'sexitVault
function 5) TheexitVault
function will always revert because the require statement at Line 242require(vaultAccount.lastUpdateBlockTime + Constants.VAULT_ACCOUNT_MIN_TIME <= block.timestamp);
will always be false. 6) Note thatvaultAccount.lastUpdateBlockTime
has been set toblock.timestamp
earlier. So the condition can be evaluated torequire(block.timestamp + Constants.VAULT_ACCOUNT_MIN_TIME <= block.timestamp)
, which will always be false.https://github.com/sherlock-audit/2023-03-notional-0xleastwood/blob/main/contracts-v2/contracts/external/actions/VaultAccountAction.sol#L242
Impact
Some strategy vaults are designed to rely on the ability to re-enter Notional to function properly. Without this ability, those vault would be broken potentially causing a wide range of issues such as being unable to enter/deposit/exit/redeem or stuck assets.
Code Snippet
https://github.com/sherlock-audit/2023-03-notional-0xleastwood/blob/main/contracts-v2/contracts/internal/vaults/VaultAccount.sol#L487
https://github.com/sherlock-audit/2023-03-notional-0xleastwood/blob/main/contracts-v2/contracts/internal/vaults/VaultConfiguration.sol#L257
https://github.com/sherlock-audit/2023-03-notional-0xleastwood/blob/main/contracts-v2/contracts/external/actions/VaultAccountAction.sol#L242
Tool used
Manual Review
Recommendation
Consider allowing the vault to bypass the flash-loan/MEV mitigation control if the call comes from the vault itself.
It is important that verify that it does not cause a security implication on the Strategy Vault side before applying this change.