sherlock-admin4
commented
3 months ago 1 comment(s) were left on this issue during the judging contest.
DHTNS commented:
Low -> does not properly identify attack path so not a dup of #74
Closed sherlock-admin4 closed 3 months ago
sherlock-admin4
commented
3 months ago 1 comment(s) were left on this issue during the judging contest.
DHTNS commented:
Low -> does not properly identify attack path so not a dup of #74
0xboriskataa
high
Missing
onlyCalmPeriodsmodifier on important functionsSummary
Missing
onlyCalmPeriodsmodifier on important functionsVulnerability Detail
Beefy tries to to protect its users from price manipulation attacks (e.g. flash loan attacks) and it does so by allowing them to deposit only during a calm period. This is done with the implementation of the
onlyCalmPeriodsmodifier. However the issue is that this modifier is not used on thewithdraw()andharvest()functions.Impact
Because of this users are allowed to withdraw and harvest during unsafe periods which may lead to a loss for them
Code Snippet
https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/main/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol/#L425-L435 https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/main/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol/#L226-L240
Tool used
Manual Review
Recommendation
Add the onlyCalmPeriods modifier to the
withdraw()andharvest()functionsDuplicate of #74