search

sherlock-audit / 2023-04-blueberry-judging

8 stars 5 forks source link

0x52 - AuraSpell#openPositionFarm uses incorrect join type for balancer #120

Open sherlock-admin opened 1 year ago

sherlock-admin commented 1 year ago

0x52

medium

AuraSpell#openPositionFarm uses incorrect join type for balancer

Summary

The JoinPoolRequest uses "" for userData meaning that it will decode into 0. This is problematic because join requests of type 0 are "init" type joins and will revert for pools that are already initialized.

Vulnerability Detail

https://etherscan.io/address/0x5c6ee304399dbdb9c8ef030ab642b10820db8f56#code#F24#L49

enum JoinKind { INIT, EXACT_TOKENS_IN_FOR_BPT_OUT, TOKEN_IN_FOR_EXACT_BPT_OUT }

We see above that enum JoinKind is INIT for 0 values.

https://etherscan.io/address/0x5c6ee304399dbdb9c8ef030ab642b10820db8f56#code#F24#L290

        return _joinExactTokensInForBPTOut(balances, normalizedWeights, userData);
    } else if (kind == JoinKind.TOKEN_IN_FOR_EXACT_BPT_OUT) {
        return _joinTokenInForExactBPTOut(balances, normalizedWeights, userData);
    } else {
        _revert(Errors.UNHANDLED_JOIN_KIND);
    }

Here user data is decoded into join type and since it is "" it will decode to type 0 which will result in a revert.

Impact

Users will be unable to open any farm position on AuraSpell

Code Snippet

AuraSpell.sol#L63-L147

Tool used

Manual Review

Recommendation

Uses JoinKind = 1 for user data

Gornutz commented 1 year ago

https://github.com/Blueberryfi/blueberry-core/commit/2d4e6173f472df8d60498f073d4da0952d7cc4d3

IAm0x52 commented 1 year ago

Fix contains excess logic that doesn't seem necessary. Waiting for additional clarification/changes