cuthalion0x - `AuraSpell`'s Balancer pool join will always revert

[sherlock-admin]

cuthalion0x

high

AuraSpell's Balancer pool join will always revert

Summary

In AuraSpell.openPositionFarm, the call to BalancerVault.joinPool is not properly encoded and will always revert.

Vulnerability Detail

All Balancer Vault operations include an input argument called userData. This is optional for all known swaps, but it is very much required for all known joins and exits. In AuraSpell.openPositionFarm, a call to BalancerVault.joinPool leaves the userData empty. As a result, the join will always revert, and it will be impossible to open a position.

Impact

It is not possible to open a position using the AuraSpell.

Code Snippet

spell/AuraSpell.sol#L109-119, annotated below for clarity.

vault.joinPool(
    poolId,
    address(this),
    address(this),
    IBalancerVault.JoinPoolRequest(
        tokens,
        maxAmountsIn,
        "", // @audit-info This is the `userData` argument, which has been left empty.
        false
    )
);

Tool used

Manual Review

Recommendation

First, create an integration test for the Aura spell. There are tests for Convex, Curve, and Ichi, but not Aura. A test would likely have caught this issue.

To fix the issue, consult the Balancer docs on pool joins. Specifically, we probably want the "exact tokens" join type, whose userData looks like:

[uint256, uint256[], uint256]
[EXACT_TOKENS_IN_FOR_BPT_OUT, amountsIn, minimumBPT]

Note that this will also require specifying the minimumBPT that we will get out. We may have to leverage an oracle in order to compute this amount.

Duplicate of #120