AuraSpell openPositionFarm will revert when the tokens contains lpToken
Summary
AuraSpell openPositionFarm will revert when the tokens contains lpToken due to array length mismatch
Vulnerability Detail
In AuraSpell, the openPositionFarm will call joinPool in Balancer's vault. But when analyzing the JoinPoolRequest struct, we see issue on maxAmountsIn and amountsIn which can be in different length, thus this will be reverted since in Balancer's vault, this two array should be in the same length.
these maxAmountsIn and amountsIn are coming from _getJoinPoolParamsAndApprove. And by seeing the function, we can see that there is possible issue when the tokens[i] == lpToken.
When tokens[i] == lpToken, the flag isLPIncluded will be true. And will enter this block,
this will decrease the amountsIn length. Thus, amountsIn and maxAmountsIn will be in different length.
In Balancer's JoinPoolRequest struct, the maxAmountsIn, and userData second decoded bytes (amountsIn) should be the same array length, because it will be checked in Balancer.
bitsurfer
medium
AuraSpell
openPositionFarm
will revert when the tokens containslpToken
Summary
AuraSpell
openPositionFarm
will revert when the tokens contains lpToken due to array length mismatchVulnerability Detail
In AuraSpell, the
openPositionFarm
will calljoinPool
in Balancer's vault. But when analyzing theJoinPoolRequest
struct, we see issue onmaxAmountsIn
andamountsIn
which can be in different length, thus this will be reverted since in Balancer's vault, this two array should be in the same length.these
maxAmountsIn
andamountsIn
are coming from_getJoinPoolParamsAndApprove
. And by seeing the function, we can see that there is possible issue when thetokens[i] == lpToken
.When
tokens[i] == lpToken
, the flagisLPIncluded
will be true. And will enter this block,this will decrease the
amountsIn
length. Thus,amountsIn
andmaxAmountsIn
will be in different length.In Balancer's
JoinPoolRequest
struct, themaxAmountsIn
, anduserData
second decoded bytes (amountsIn
) should be the same array length, because it will be checked in Balancer.Therefore, in this situation, it will be reverted.
Impact
User can't open position on AuraSpell when
tokens
containslpToken
Code Snippet
https://github.com/sherlock-audit/2023-07-blueberry/blob/main/blueberry-core/contracts/spell/AuraSpell.sol#L326-L328
Tool used
Manual Review
Recommendation
Remove the assembly code where it will decrease the
amountsIn
length whenisLPIncluded
is true to make sure the array length are same.