The existing control to prevent ETH from being sold during reinvestment can be bypassed, allowing the bots to accidentally or maliciously sell off the non-reward assets of the vault.
Vulnerability Detail
Multiple instances of this issue were found:
Instance 1 - Curve's Implementation
The _isInvalidRewardToken function attempts to prevent the callers from selling away ETH during reinvestment.
However, the code at Line 67 above will not achieve the intended outcome as Deployments.ALT_ETH_ADDRESS is not a valid token address in the first place.
When the caller is executing a trade with ETH, the address for ETH used is either Deployments.WETH or Deployments.ETH_ADDRESS (address(0)) as shown in the TradingUtils's source code, not the Deployments.ALT_ETH_ADDRESS.
As a result, the caller (bot) of the reinvestment function could still sell off the ETH from the vault, bypassing the requirement.
Instance 2 - Balancer's Implementation
When the caller is executing a trade with ETH, the address for ETH used is either Deployments.WETH or Deployments.ETH_ADDRESS (address(0)), as mentioned earlier. However, the AuraStakingMixin._isInvalidRewardToken function only blocks Deployments.WETH but not Deployments.ETH, thus allowing the caller (bot) of the reinvestment function, could still sell off the ETH from the vault, bypassing the requirement.
Per the sponsor's clarification below, the contracts should protect against the bot doing unintended things (including acting maliciously) due to coding errors, which is one of the main reasons for having the _isInvalidRewardToken function. Thus, this issue is a valid bug in the context of this audit contest.
The existing control to prevent ETH from being sold during reinvestment can be bypassed, allowing the bots to accidentally or maliciously sell off the non-reward assets of the vault.
xiaoming90
medium
ETH can be sold during reinvestment
Summary
The existing control to prevent ETH from being sold during reinvestment can be bypassed, allowing the bots to accidentally or maliciously sell off the non-reward assets of the vault.
Vulnerability Detail
Multiple instances of this issue were found:
Instance 1 - Curve's Implementation
The
_isInvalidRewardToken
function attempts to prevent the callers from selling away ETH during reinvestment.https://github.com/sherlock-audit/2023-10-notional/blob/main/leveraged-vaults/contracts/vaults/curve/ConvexStakingMixin.sol#L60
However, the code at Line 67 above will not achieve the intended outcome as
Deployments.ALT_ETH_ADDRESS
is not a valid token address in the first place.When the caller is executing a trade with ETH, the address for ETH used is either
Deployments.WETH
orDeployments.ETH_ADDRESS
(address(0)
) as shown in the TradingUtils's source code, not theDeployments.ALT_ETH_ADDRESS
.https://github.com/sherlock-audit/2023-10-notional/blob/main/leveraged-vaults/contracts/trading/TradingUtils.sol#L128
As a result, the caller (bot) of the reinvestment function could still sell off the ETH from the vault, bypassing the requirement.
Instance 2 - Balancer's Implementation
When the caller is executing a trade with ETH, the address for ETH used is either
Deployments.WETH
orDeployments.ETH_ADDRESS
(address(0)
), as mentioned earlier. However, theAuraStakingMixin._isInvalidRewardToken
function only blocksDeployments.WETH
but notDeployments.ETH
, thus allowing the caller (bot) of the reinvestment function, could still sell off the ETH from the vault, bypassing the requirement.https://github.com/sherlock-audit/2023-10-notional/blob/main/leveraged-vaults/contracts/vaults/balancer/mixins/AuraStakingMixin.sol#L38
Per the sponsor's clarification below, the contracts should protect against the bot doing unintended things (including acting maliciously) due to coding errors, which is one of the main reasons for having the
_isInvalidRewardToken
function. Thus, this issue is a valid bug in the context of this audit contest.https://discord.com/channels/812037309376495636/1175450365395751023/1175781082336067655
Impact
The existing control to prevent ETH from being sold during reinvestment can be bypassed, allowing the bots to accidentally or maliciously sell off the non-reward assets of the vault.
Code Snippet
https://github.com/sherlock-audit/2023-10-notional/blob/main/leveraged-vaults/contracts/vaults/curve/ConvexStakingMixin.sol#L60
https://github.com/sherlock-audit/2023-10-notional/blob/main/leveraged-vaults/contracts/vaults/balancer/mixins/AuraStakingMixin.sol#L38
Tool used
Manual Review
Recommendation
To ensure that ETH cannot be sold off during reinvestment, consider the following changes:
Curve
Balancer