Closed sherlock-admin4 closed 1 month ago
1 comment(s) were left on this issue during the judging contest.
0xmystery commented:
invalid because users can always optionally call deposit() by pre-converting DAI/sDAI, ETH/stETH, ETH/eTH at their control
Please see https://github.com/sherlock-audit/2024-05-sophon-judging/issues/3 and https://github.com/sherlock-audit/2024-05-sophon-judging/issues/67 for commented reasonings similarly related to this report.
Kirkeelee
medium
No slippage protection when depositing and withdrawing to the predefinedPool
Summary
Protocol allows to deposit different assets into the predefined pools. While depositing the assets are converted to one of the following assets: sDAI, wstETH, weETH. It is assumed that these are always in peg with their corresponding assets which is not always the case.
Vulnerability Detail
Lets say that you deposit 10 DAI to the
PredefinedPool.sDAI
with 0 boost amount. Deposit amount is stored as sDAI in theuser.depositAmount
. The amount depends on the conversion rate at that time. When you call the withdraw function after the point farming has ended you are given back the sDAI, not DAI. Users need to convert to DAI themselves.This example is true for all other predefined pools. There will be a loss of user funds if the market is volatile either during the deposit or after withdraw.
Impact
Users losing funds as a result of the conversion rate difference between the assets of the predefined pools.
Code Snippet
https://github.com/sherlock-audit/2024-05-sophon/blob/main/farming-contracts/contracts/farm/SophonFarming.sol#L548-L566
https://github.com/sherlock-audit/2024-05-sophon/blob/main/farming-contracts/contracts/farm/SophonFarming.sol#L699-L741
Tool used
Manual Review
Recommendation
Since the conversation is mostly done by protocol during the deposit,
minAmount
should be defined by user so that there is no funds loss. After the withdraw it is up to the user to find the favorable market conditions.