Inefficient reward compounding in Votium Strategy #44
Comments
c4-submissions
added
2 (Med Risk)
|
This seems more of a gas optimization |
I was referring to the intermediate swap steps used to compound the rewards. In 2 out of 3 scenarios, rewards are first sold for ETH only to be swapped immediately back to CVX. The last leg is even fixed to the CVX/ETH pool. The recommendation here is to go directly with 0x, which would give a more optimized path, earning more value for depositors. |
|
0xleastwood marked the issue as primary issue |
c4-judge
added
the
primary issue
|
I agree that this is more of a optimisation that doesn't necessarily leak value unless the allowed slippage for performing two swaps is greater than if we were to route the swaps differently. |
|
To me, it makes sense to downgrade this to QA because it isn't clear how this might be exploited. |
c4-judge
removed
the
2 (Med Risk)
|
0xleastwood changed the severity to QA (Quality Assurance) |
c4-judge
added
downgraded by judge
|
0xleastwood marked the issue as grade-a |
|
elmutt (sponsor) confirmed |
c4-sponsor
added
sponsor confirmed
|
elmutt (sponsor) acknowledged |
|
elmutt (sponsor) confirmed |
c4-sponsor
added
sponsor confirmed
|
0xleastwood removed the grade |
Lines of code
https://github.com/code-423n4/2023-09-asymmetry/blob/main/contracts/strategies/votium/VotiumStrategyCore.sol#L272
Vulnerability details
Summary
Rewards acquired through the Votium strategy undergo a sequence of steps that involve multiple intermediate swaps, leading to an inefficient process that can negatively impact the protocol value.
Impact
Rewards obtained from the VotiumStrategy contract are compounded and deposited back into the protocol.
After tokens are claimed, the Rewarder role calls
applyRewards()to exchange rewards coming from Votium and Convex to ETH. The resulting amount of ETH is then sent to AfEth, which, depending on the current TVL ratio between the two collaterals, will end up either staking the ETH in SafEth, or depositing the ETH back to the VotiumStrategy contract, which will swap that ETH again to CVX tokens in order to lock them in the Convex platform.This means that rewards are swapped to ETH, only to be swapped again to other assets. In the case of SafEth, the staked ETH will be distributed according to the current weights of the different underlying staking protocols configured. In the case of VotiumStrategy the ETH will be swapped back to CVX.
It can be argued that it would be too difficult to handle this case efficiently for the SafEth staking scenario: the contracts in AfEth would need to know of the underlying split of the different LSD in order to know how to execute the swap. This could cause too much coupling and would require big architecture changes.
However, for the sole case of VotiumStrategy, a more efficient approach can be adopted. Knowing in advance that the rewards will be compounded back into the VotiumStrategy contract, rewards can be directly swapped to CVX instead of going through ETH first. This change is straightforward to implement, since the current intention is to use the Ox protocol: instead of swapping everything to ETH, just swap it to CVX and lock it.
Recommendation
To implement a more efficient reward compounding process, the current reward flow can be refactored to just swap to ETH when the conditions will make the rewards go into SafEth (
safEthRatio < ratio). In the other case (when rewards should be deposited back the Votium strategy), the implementation can directly swap rewards to CVX.Assessed type
Other
The text was updated successfully, but these errors were encountered: