Open sherlock-admin4 opened 1 week ago
Escalate.
This is intended. An instance of each contract will be deployed for each supported token pair. This has been mentioned in the Readme, the discord server and noted in the code comments.
Escalate.
This is intended. An instance of each contract will be deployed for each supported token pair. This has been mentioned in the Readme, the discord server and noted in the code comments.
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Agreed - can close 👍. The design of the contracts seems to suggest multiple pools will be supported, but no issues as per the Readme.
Agree with the escalation, this is indeed the intended design of the protocol. Planning to accept the escalation and invalidate the issue.
0xbranded
Medium
Hardcoded Value Breaks Core Contract Functionality
Summary
The use of a hardcoded value for the pool id in
apy.vy
proxied calls makes every other pool in the system inaccessible.Vulnerability Detail
The comments indicate that
apy.vy
is the entry-point contract, which proxy's calls to core. However, each call made tocore.vy
includes a hardcoded value of 1 for the pool id:Within each of these functions in
core.vy
, the following checks are enforced:However the pools contract is designed to support multiple pools with differing pool id:
Thus, any user action with
core.vy
can interact only with this first pool and all pools with an id differing from 1 will be inaccessible.Impact
Core contract functionality is broken, leading to a DoS (which doesn't compromise funds, since pools cannot be interacted with to begin with).
Code Snippet
Tool used
Manual Review
Recommendation
Add an
id: uint256
parameter to the mentioned functions ofapi.vy
, and forward this value to the calls ofcore.vy
, rather than hardcoding 1.