search

sherlock-audit / 2024-05-napier-update-judging

8 stars 7 forks source link

KupiaSec - MetapoolRouter.swapETHForYt() validates a wrong condition and this blocks intended workflow in most cases #77

Closed sherlock-admin4 closed 3 months ago

sherlock-admin4 commented 3 months ago

KupiaSec

medium

MetapoolRouter.swapETHForYt() validates a wrong condition and this blocks intended workflow in most cases

Summary

There exists a needless validation in the flash loan callback and it blocks MetapoolRouter.swapETHForYt() in most cases.

Vulnerability Detail

MetapoolRouter.swapETHForYt() uses Balancer flash loan in order to get desired YT. In the flash loan callback, there exists a weird validation.

MetapoolRouter.sol
333:         if (repayAmount > remaining) revert Errors.MetapoolRouterInsufficientETHRepay();

The user of swapETHForYt needs to send more than spent of ETH in order to get needed YT. So remaining will be nearly 0 in most cases. 

MetapoolRouter.sol
332:     uint256 remaining = TransientStorage.tloadU256(TSLOT_CB_DATA_VALUE) - spent;

repayAmount is the amount for repaying to balancer flashloan. So the condition in line 333 holds in most cases and MetapoolRouter.swapETHForYt() will revert in most cases.

Impact

MetapoolRouter.swapETHForYt() doesn't work in most cases.

Tool used

Manual Review

Code Snippet

https://github.com/sherlock-audit/2024-05-napier-update/tree/main/metapool-router/src/MetapoolRouter.sol#L332-L333

Recommendation

Remove the validation in line 333 of MetapoolRouter.sol.

Duplicate of #36