Stargate Pools conversion rate leads to token accumulation inside the Balancer contract
Summary
Stargate pools conversion rate leads to token accumulation inside the Balancer contract and dangling allowances to the StargateRouter contract. This breaks the expected behavior of the rebalancing process and can result in a loss of tokens.
Vulnerability Detail
Stargate pools have a concept of convert rate. It's calculated based on the sharedDecimals and localDecimals for a specific pool. For example, the DAI Pool has the sharedDecimals set to 6 while localDecimals is 18.
The convert rate is then: 10^(localDecimals - sharedDecimals) = 10^12.
Here is the DAI Pool on Ethereum and the convert rate logic inside the Pool contract.
During the rebalancing process:
the specified amount is extracted from the mTOFT
allowance is set for that amount to the StargateRouter contract
the rebalance amount is deducted
Stargate transfer is invoked.
However, if the specified amount is not a multiple of the conversion rate, which in the case of DAI pool is 10^12, the consequence is:
There will be an unspent allowance from Balancer to the StargateRouter contract.
The remaining amount of tokens will accumulate inside the Balancer contract.
Repeatedly calling the rebalance function will leave more and more tokens inside the Balancer contract while leaving dangling allowances to the StargateRouter contract.
In case there is an issue upstream inside the StargateRouter contract it could result in a loss of tokens accumulated inside the Balancer contract.
Impact
ERC20 tokens will accumulate inside the Balancer contract with dangling allowances left to the StargateRouter contract. Under certain conditions, this can result in a loss of tokens.
Code Snippet
Tool used
Manual Review
Recommendation
The recommendation is to add a check for the conversion rate and adjust the amount to be rebalanced accordingly.
GiuseppeDeLaZara
medium
Stargate Pools conversion rate leads to token accumulation inside the Balancer contract
Summary
Stargate pools conversion rate leads to token accumulation inside the
Balancer
contract and dangling allowances to the StargateRouter contract. This breaks the expected behavior of the rebalancing process and can result in a loss of tokens.Vulnerability Detail
Stargate pools have a concept of convert rate. It's calculated based on the
sharedDecimals
andlocalDecimals
for a specific pool. For example, the DAI Pool has thesharedDecimals
set to 6 whilelocalDecimals
is 18.The convert rate is then:
10^(localDecimals - sharedDecimals) = 10^12
.Here is the DAI Pool on Ethereum and the convert rate logic inside the Pool contract.
During the rebalancing process:
mTOFT
However, if the specified amount is not a multiple of the conversion rate, which in the case of DAI pool is
10^12
, the consequence is:Repeatedly calling the
rebalance
function will leave more and more tokens inside theBalancer
contract while leaving dangling allowances to the StargateRouter contract.In case there is an issue upstream inside the StargateRouter contract it could result in a loss of tokens accumulated inside the Balancer contract.
Impact
ERC20 tokens will accumulate inside the Balancer contract with dangling allowances left to the StargateRouter contract. Under certain conditions, this can result in a loss of tokens.
Code Snippet
Tool used
Manual Review
Recommendation
The recommendation is to add a check for the conversion rate and adjust the amount to be rebalanced accordingly.