AuraSpell does not validate that borrowToken belongs to the underlying pool
Summary
In AuraSpell.openPositionFarm, the param.borrowToken is never validated. It is therefore possible to borrow any arbitrary token from the BlueBerryBank and leave the borrowed tokens stuck in the AuraSpell contract.
Vulnerability Detail
AuraSpell.openPositionFarm does not validate param.borrowToken as a constituent of the underlying Balancer pool. The ensuing logic computes poolAmountOut using the AuraSpell's balances of the true underlying tokens, and it gracefully skips the BalancerVault.joinPool step if poolAmountOut is zero.
Therefore, borrowing a non-pool token from the BlueBerryBank will actually succeed and create a debt, but those borrowed tokens will remain stuck in the AuraSpell contract.
Impact
Tokens can be borrowed without utilization, creating a debt and leaving the borrowed tokens stuck.
First, create an integration test for the Aura spell. There are tests for Convex, Curve, and Ichi, but not Aura. A test would likely have caught this issue.
See the IchiSpell for an example of proper validation.
cuthalion0x
high
AuraSpelldoes not validate thatborrowTokenbelongs to the underlying poolSummary
In
AuraSpell.openPositionFarm, theparam.borrowTokenis never validated. It is therefore possible to borrow any arbitrary token from theBlueBerryBankand leave the borrowed tokens stuck in theAuraSpellcontract.Vulnerability Detail
AuraSpell.openPositionFarmdoes not validateparam.borrowTokenas a constituent of the underlying Balancer pool. The ensuing logic computespoolAmountOutusing theAuraSpell's balances of the true underlying tokens, and it gracefully skips theBalancerVault.joinPoolstep ifpoolAmountOutis zero.Therefore, borrowing a non-pool token from the
BlueBerryBankwill actually succeed and create a debt, but those borrowed tokens will remain stuck in theAuraSpellcontract.Impact
Tokens can be borrowed without utilization, creating a debt and leaving the borrowed tokens stuck.
Code Snippet
https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/spell/AuraSpell.sol#L80-L84
Tool used
Manual Review
Recommendation
First, create an integration test for the Aura spell. There are tests for Convex, Curve, and Ichi, but not Aura. A test would likely have caught this issue.
See the
IchiSpellfor an example of proper validation.https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/spell/IchiSpell.sol#L84-L87