Closed sherlock-admin2 closed 2 months ago
1 comment(s) were left on this issue during the judging contest.
0xmystery commented:
Low QA on safeTransfer
Low QA on safeTransfer
This report should be rejudged. The above comment by the judge does not give any reason in regards to why this report is invalid, which hints the judge has invalidated this by mistake.
Escalate
On behalf of @Bauchibred
Escalate
On behalf of @Bauchibred
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Reasonings are yet to be provided by the sponsors disputing this finding.
From the links sent by @Bauchibred in the report, we can find the L2 Aave pool contract here and as we see, the function supply, firstly, convert the bytes32 args into parameters and then calls another supply function. This supply function is from the Aave Pool contract here. It's public and matches the function called by Union. Hence, I don't really understand the problem, since L2 Pool inherits Pool contract, so calling supply(address,uint256,address,uint16)
should also work, no? Am I missing something here?
Hi @WangSecurity, thanks for that explanation! You're right, this indeed is a non issue cause the supply()
is publicly available, I had wrongly assumed the implementations to be similar to how distinct Convex boosters are on the mainnet and side chains, but AAVE works fine.
@Bauchibred interesting assumption though, will note that about Convex boosters!
Planning to reject the escalation and leave the issue as it is.
Result: Invalid Unique
Bauchibred
Medium
AaveV3Adapter
is going to be heavily non-functional in some to-deploy chainsSummary
AaveV3Adapter
is going to be heavily non-functional in some to-deploy chains since on Arbitrum & Optimism, depositing/withdrawing to/fro the lending pool would be impossible.Vulnerability Detail
First note that from the readMe, the below has been hinted, which indicates that the protocol is to be deployed on any EVM compatible chain.
https://github.com/sherlock-audit/2024-06-union-finance-update-2/blob/7ffe43f68a1b8e8de1dfd9de5a4d89c90fd6f710/README.md#L10-L12
Now there exist an implementation of the AAVEV3Adapter in scope, which the
AssetManager
always calls and it includes different functionalities including how deposits can be done as shown here: https://github.com/sherlock-audit/2024-06-union-finance-update-2/blob/7ffe43f68a1b8e8de1dfd9de5a4d89c90fd6f710/union-v2-contracts/contracts/asset/AaveV3Adapter.sol#L205-L217Issue however is that this implementation would not work on Arbitrum and optimism chain, which is because from the Aave V3 documentation, Arbitrum and Optimism are using different pool contracts than the ones used on e.g. Ethereum main net. The difference is mainly that the arguments taken by the pool functions relevant to the AaveConnector (supply, borrow, repay, repayWithATokens and withdraw) take a bytes32 variable as an argument instead of multiple different arguments:
That's to say the supply function on Ethereum looks like this:
Whereas the same function in the optimized L2Pool contract looks like this:
Using any EVM signature database tool we can see how different these signatures are, i.e, see the disparity in the
supply()
for the ethereum mainnet and other L2s where the protocol would deploy to and why the attempts would never work.Impact
The
AaveV3Adapter
is going to be heavily non-functional since it's core functionalities would not function as intended and it would be impossible to deposit tokens into the lending pool.They would always revert since the signatures would never match with what's on the L2pool contract, see https://github.com/aave/aave-v3-core/blob/724a9ef43adf139437ba87dcbab63462394d4601/contracts/protocol/pool/L2Pool.sol#L43
Code Snippet
https://github.com/sherlock-audit/2024-06-union-finance-update-2/blob/7ffe43f68a1b8e8de1dfd9de5a4d89c90fd6f710/union-v2-contracts/contracts/asset/AaveV3Adapter.sol#L205-L217
Tool used
Recommendation
Consider creating a separate contract for the
AaveV3Adapter
for Arbitrum & Optimism that correctly accounts for the native implementation on these chains.