This repository has been archived by the owner on May 26, 2023. It is now read-only.
xiaoming90 - totalBPTSupply
will be excessively inflated
#11
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
High
A valid High severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
xiaoming90
high
totalBPTSupply
will be excessively inflatedSummary
The
totalBPTSupply
will be excessively inflated astotalSupply
was used instead ofvirtualSupply
. This might cause a boosted balancer leverage vault not to be emergency settled in a timely manner and holds too large of a share of the liquidity within the pool, thus having problems exiting its position.Vulnerability Detail
Balancer's Boosted Pool uses Phantom BPT where all pool tokens are minted at the time of pool creation and are held by the pool itself. Therefore,
virtualSupply
should be used instead oftotalSupply
to determine the amount of BPT supply in circulation.However, within the
Boosted3TokenAuraVault.getEmergencySettlementBPTAmount
function, thetotalBPTSupply
at Line 169 is derived from thetotalSupply
instead of thevirtualSupply
. As a result,totalBPTSupply
will be excessively inflated (2**(111)
).https://github.com/sherlock-audit/2022-12-notional/blob/main/contracts/vaults/Boosted3TokenAuraVault.sol#L169
As a result, the
emergencyBPTWithdrawThreshold
threshold will be extremely high. As such, the condition at Line 97 will always be evaluated as true and result in a revert.https://github.com/sherlock-audit/2022-12-notional/blob/main/contracts/vaults/balancer/internal/settlement/SettlementUtils.sol#L86
https://github.com/sherlock-audit/2022-12-notional/blob/main/contracts/vaults/balancer/internal/BalancerVaultStorage.sol#L52
Impact
Anyone (e.g. off-chain keeper or bot) that relies on the
SettlementUtils.getEmergencySettlementBPTAmount
to determine if an emergency settlement is needed would be affected. The caller will presume that since the function reverts, emergency settlement is not required and the BPT threshold is still within the healthy level. The caller will wrongly decided not to perform an emergency settlement on a vault that has already exceeded the BPT threshold.If a boosted balancer leverage vault is not emergency settled in a timely manner and holds too large of a share of the liquidity within the pool, it will have problems exiting its position.
Code Snippet
https://github.com/sherlock-audit/2022-12-notional/blob/main/contracts/vaults/Boosted3TokenAuraVault.sol#L169
Tool used
Manual Review
Recommendation
Update the function to compute the
totalBPTSupply
from the virtual supply.The text was updated successfully, but these errors were encountered: