Ch_301 - Aura SPELL is not compatible with Balancer pools

[sherlock-admin]

Ch_301

high

Aura SPELL is not compatible with Balancer pools

Summary

The AuraSpell.sol defines how Blueberry Protocol interacts with Aura pools.

Vulnerability Detail

On the openPositionFarm at the third step

        // 3. Add liquidity on Balancer, get BPT
        {
            IBalancerVault vault = wAuraPools.getVault(lpToken);
            _ensureApprove(param.borrowToken, address(vault), borrowBalance);

            (address[] memory tokens, uint256[] memory balances, ) = wAuraPools
                .getPoolTokens(lpToken);
            uint[] memory maxAmountsIn = new uint[](2);
            maxAmountsIn[0] = IERC20(tokens[0]).balanceOf(address(this));
            maxAmountsIn[1] = IERC20(tokens[1]).balanceOf(address(this));

The elements (address) on the tokens[ ] array are the list of which tokens can hold by the pool, and it could contain two elements (2 address) to eight elements (8 address).
this is one of the biggest pools on Balancer with three tokens USDC, DAI and USDT https://app.balancer.fi/#/ethereum/pool/0x79c58f70905f734641735bc61e45c19dd9ad60bc0000000000000000000004e7 But the maxAmountsIn [ ] can only take the two first indexes (token balance) from tokens[ ]. The main goal here is to read the balance of param.borrowToken in this SPELL. in case tokens[ ].length == 3 and the param.borrowToken address is in the least index on (e.g.tokens[3] == param.borrowToken) so the current strategy param.strategyId will never work

Impact

• The AuraSpell.sol can't handle some Balancer pools correctly
• The user will lose some fees if he invokes increasePosition() first, then he will fail to invoke openPositionFarm()

Code Snippet

https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/spell/AuraSpell.sol#L63-L95

        // 3. Add liquidity on Balancer, get BPT
        {
            IBalancerVault vault = wAuraPools.getVault(lpToken);
            _ensureApprove(param.borrowToken, address(vault), borrowBalance);

            (address[] memory tokens, uint256[] memory balances, ) = wAuraPools
                .getPoolTokens(lpToken);
            uint[] memory maxAmountsIn = new uint[](2);
            maxAmountsIn[0] = IERC20(tokens[0]).balanceOf(address(this));
            maxAmountsIn[1] = IERC20(tokens[1]).balanceOf(address(this));

Tool used

Manual Review

Recommendation

Check the tokens[ ].length

Duplicate of #127