YearnTokenAdapter allows a maximum loss of 100% when withdrawing #60
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Lines of code
https://github.com/code-423n4/2022-05-alchemix/blob/main/contracts-full/adapters/yearn/YearnTokenAdapter.sol#L13
https://github.com/code-423n4/2022-05-alchemix/blob/main/contracts-full/adapters/yearn/YearnTokenAdapter.sol#L43
Vulnerability details
Impact
YearnTokenAdapter allows slippage of 100% when withdrawing from the vault which will cause a loss of funds.
Here's the documentation straight from the vault contract: https://github.com/yearn/yearn-vaults/blob/main/contracts/Vault.vy#L1025-L1073
It allows the user to specify the
maxLoss
as the last parameter. It determines how many shares can be burned to fulfill the withdrawal. Currently, the contract uses 10.000 which is 100%. Meaning there is no slippage check at all. This is bound to cause a loss of funds.I'd suggest letting the user determine the slippage check themselves instead of hardcoding it.
Proof of Concept
Current
maxLoss
value: https://github.com/code-423n4/2022-05-alchemix/blob/main/contracts-full/adapters/yearn/YearnTokenAdapter.sol#L13call to Yearn vault's
withdraw()
function: https://github.com/code-423n4/2022-05-alchemix/blob/main/contracts-full/adapters/yearn/YearnTokenAdapter.sol#L43Tools Used
none
Recommended Mitigation Steps
Allow the user to specify the slippage value themselves:
If you don't want to change the ITokenAdapter interface you can also leave the value blank. The vault will then use the default value (
0.01%
)The text was updated successfully, but these errors were encountered: