Auction is not compatible with modules using external positions
Summary
Components used in the auction module can not have any external positions. This is not a necessary condition, it blocks the auction module from being used with all modules that use external positions.
Vulnerability Detail
Due to the following code in the startRebalance() function
for (uint256 i = 0; i < allComponents.length; i++) {
require(!_setToken.hasExternalPosition(allComponents[i]), "External positions not allowed");
executionInfo[_setToken][IERC20(allComponents[i])] = allAuctionParams[i];
}
components with a default position but also an external position are blocked from using this module.
Impact
The module is not compatible with other modules that use external positions even though it should be.
Many modules can be compatible with the auction module even with external positions as long as the default position does not impact the security off the external position.
This can be done by adding a new mapping to the auction module
mapping (address => bool) isWhiteListedModule;
in the startBalance() we use the getExternalPositionModules() function on each component to get externalPositionModules. We can now check that a component with an external position only uses whitelisted modules.
qandisa
medium
Auction is not compatible with modules using external positions
Summary
Components used in the auction module can not have any external positions. This is not a necessary condition, it blocks the auction module from being used with all modules that use external positions.
Vulnerability Detail
Due to the following code in the
startRebalance()functioncomponents with a default position but also an external position are blocked from using this module.
Impact
The module is not compatible with other modules that use external positions even though it should be.
Code Snippet
https://github.com/sherlock-audit/2023-06-Index/blob/main/index-protocol/contracts/protocol/modules/v1/AuctionRebalanceModuleV1.sol#L269
https://github.com/sherlock-audit/2023-06-Index/blob/main/index-protocol/contracts/protocol/modules/v1/AuctionRebalanceModuleV1.sol#L756
Tool used
Manual Review
Recommendation
Many modules can be compatible with the auction module even with external positions as long as the default position does not impact the security off the external position.
This can be done by adding a new mapping to the auction module
in the
startBalance()we use thegetExternalPositionModules()function on each component to getexternalPositionModules. We can now check that a component with an external position only uses whitelisted modules.