ReaperBaseStrategyv4.harvest()
might revert in an emergency.
#730
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
M-03
primary issue
Highest quality submission among a set of duplicates
satisfactory
satisfies C4 submission criteria; eligible for awards
selected for report
This submission will be included/highlighted in the audit report
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2023-02-ethos/blob/73687f32b934c9d697b97745356cdf8a1f264955/Ethos-Vault/contracts/abstract/ReaperBaseStrategyv4.sol#L109
https://github.com/code-423n4/2023-02-ethos/blob/73687f32b934c9d697b97745356cdf8a1f264955/Ethos-Vault/contracts/ReaperStrategyGranarySupplyOnly.sol#L200
Vulnerability details
Impact
ReaperBaseStrategyv4.harvest()
might revert in an emergency if there is no position on the lending pool.As a result, the funds might be locked inside the strategy.
Proof of Concept
The main problem is that Aave lending pool doesn't allow 0 withdrawals.
So the below scenario would be possible.
It's because
_adjustPosition()
remains the debt during reinvesting and also, there is anauthorizedWithdrawUnderlying()
forSTRATEGIST
to withdraw from the lending pool.harvest()
tries to liquidate all positions(=0 actually) and it will revert because of 0 withdrawal from Aave.withdraw()
will revert at L98 as the strategy is in the debt.As a result, the funds might be locked inside the strategy unless the
emergency
mode is canceled.Tools Used
Manual Review
Recommended Mitigation Steps
We should check 0 withdrawal in
_withdrawUnderlying()
.The text was updated successfully, but these errors were encountered: