Closed sherlock-admin2 closed 3 months ago
This is a duplicate with issue #71.
The protocol team fixed this issue in the following PRs/commits: https://github.com/beefyfinance/cowcentrated-contracts/pull/17/files
Issue and fix same as in #71
The Lead Senior Watson signed off on the fix.
Dliteofficial
medium
Use of CLPools where LPToken0 == output || LPToken1 == output would result in loss of LP rewards for LPs and temporary inability to harvest fees
Summary
Vulnerability Detail
During the initialization of the strategy, the initializer is required to provide the CLPool address. If a CLPool where LPToken0 == output || LPToken1 == output is used, there will be serious complications and this is possible because the LPToken0 and LPToken1 isn't checked that they are not the same as the output address in
StrategyPassiveManagerVelodrome::initialize
.Why is it important? Well, the output token is the reward token. The token in which the trading fees gathered from providing liquidity in the CLPool is paid. This token is also the token that the fees to the call recipient, DAO, etc. is paid on Beefy.
What complications would this cause? Let's take
StrategyPassiveManagerVelodrome::beforeAction()
for example:This function is called before
StrategyPassiveManagerVelodrome::withdraw()
. When this happens, the fees are accumulated (in output) and we remove liquidity (assuming LPToken1 is also output), the total of LPToken1 will be the removed liquidity + fees. If_harvest()
is not called quickly and all of the tokens are supplied again as liquidity, both the fee recipients and LPs will lose their entitlements. Particularly, the LPs. Since the tokens are reinvested, they will not be able to earn LP rewards. As for the fee recipients, because all of the tokens have been reinvested, they will temporarily be unable to claim their fees.Impact
Loss of LP rewards for LPs and temporary inability to harvest fees.
Code Snippet
Tool used
Manual Review
Recommendation
Duplicate of #71