Closed sherlock-admin4 closed 1 month ago
2 comment(s) were left on this issue during the judging contest.
Nihavent commented:
This was acknowledged as a known issue in the natspec https://github.com/sherlock-audit/2024-06-new-scope/blob/c8300e73f4d751796daad3dadbae4d11072b3d79/zerolend-one/contracts/interfaces/vaults/ICuratedVaultBase.sol#L175-L176
Honour commented:
might require sponsor input. Invalid: for the following reasons. 1. Updating withdraw queue should not decrease total assets as this would directly impact depositors(i.e loss of funds) so we can assume pools removed are empty or their funds & accrued interest have been reallocated via
reallocate
. 2. updating withdraw queue is an admin operation
0xc0ffEE
Medium
Vault protocol fees can be bypassed when removing markets
Summary
When the market is removed/disabled, the total last asset is not deducted, causing the next action can not accrue protocol fees
Root Cause
The function
CuratedVault#updateWithdrawQueue()
allows allocators to update queue orders and to remove markets which is proposed to be removed. However the function does not deducttotalLastAsset
, which tracks the total asset currently controlled by the vault. And at the next vault action,totalLastAsset > currentTotalAssets
(current total asset only accounts for assets supplied to the markets in the withdraw queue) which behaves that vault does not have interest. => Protocol fees is bypassed andtotalLastAsset
is set tocurrentTotalAssets
Internal pre-conditions
External pre-conditions
Attack Path
Impact
Protocol fees is bypassed
PoC
Add this test to the test file
test/vaults/ERC4626Test.sol
Run the test
test_marketRemove
and the console shows:Mitigation
Deduct
lastTotalAssets
by the total amount supplied to the market to be removedDuplicate of #448