This repository has been archived by the owner on May 26, 2023. It is now read-only.
xiaoming90 - Vault's totalStrategyTokenGlobal
will not be in sync
#15
Labels
High
A valid High severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
xiaoming90
high
Vault's
totalStrategyTokenGlobal
will not be in syncSummary
The
strategyContext.vaultState.totalStrategyTokenGlobal
variable that tracks the number of strategy tokens held in the vault will not be in sync and will cause accounting issues within the vault.Vulnerability Detail
The
StrategyUtils._convertStrategyTokensToBPTClaim
function might return zero if a small number ofstrategyTokenAmount
is passed into the function. If(strategyTokenAmount * context.vaultState.totalBPTHeld)
is smaller thancontext.vaultState.totalStrategyTokenGlobal
, thebptClaim
will be zero.https://github.com/sherlock-audit/2022-12-notional/blob/main/contracts/vaults/balancer/internal/strategy/StrategyUtils.sol#L18
In Line 441 of the
Boosted3TokenPoolUtils._redeem
function below, ifbptClaim
is zero, it will return zero and exit the function immediately.If a small number of
strategyTokens
is passed into the_redeem
function and thebptClaim
ends up as zero, the caller of the_redeem
function will assume that all thestrategyTokens
have been redeemed.https://github.com/sherlock-audit/2022-12-notional/blob/main/contracts/vaults/balancer/internal/pool/Boosted3TokenPoolUtils.sol#L432
The following function shows an example of the caller of the
_redeem
function at Line 171 below accepting the zero value as it does not revert when the zero value is returned by the_redeem
function. Thus, it will consider the small number ofstrategyTokens
to be redeemed. Note that the_redeemFromNotional
function calls the_redeem
function under the hood.https://github.com/sherlock-audit/2022-12-notional/blob/main/contracts/vaults/BaseStrategyVault.sol#L163
Subsequently, on Notional side, it will deduct the redeemed strategy tokens from its
vaultState.totalStrategyTokens
state (Refer to Line 177 below)https://github.com/notional-finance/contracts-v2/blob/63eb0b46ec37e5fc5447bdde3d951dd90f245741/contracts/external/actions/VaultAction.sol#L157
However, the main issue is that when a small number of
strategyTokens
are redeemed andbptClaim
is zero, the_redeem
function will exit at Line 441 immediately. Thus, the redeemed strategy tokens are not deducted from thestrategyContext.vaultState.totalStrategyTokenGlobal
accounting variable on the Vault side.Thus,
strategyContext.vaultState.totalStrategyTokenGlobal
on the Vault side will not be in sync with thevaultState.totalStrategyTokens
on the Notional side.https://github.com/sherlock-audit/2022-12-notional/blob/main/contracts/vaults/balancer/internal/pool/Boosted3TokenPoolUtils.sol#L432
Impact
The
strategyContext.vaultState.totalStrategyTokenGlobal
variable that tracks the number of strategy tokens held in the vault will not be in sync and will cause accounting issues within the vault. This means that the actual total strategy tokens in circulation and thestrategyContext.vaultState.totalStrategyTokenGlobal
will be different. The longer the issue is left unfixed, the larger the differences between them.The
strategyContext.vaultState.totalStrategyTokenGlobal
will be larger than expected because it does not deduct the number of strategy tokens when it should be under certain conditions.One example of the impact is as follows: The affected variable is used within the
_convertStrategyTokensToBPTClaim
and_convertBPTClaimToStrategyTokens
,_getBPTHeldInMaturity
functions. These functions are used within the deposit and redeem functions of the vault. Therefore, the number of strategy tokens or assets the users receive will not be accurate and might be less or more than expected.Code Snippet
https://github.com/sherlock-audit/2022-12-notional/blob/main/contracts/vaults/balancer/internal/strategy/StrategyUtils.sol#L18
https://github.com/sherlock-audit/2022-12-notional/blob/main/contracts/vaults/balancer/internal/pool/Boosted3TokenPoolUtils.sol#L432
https://github.com/sherlock-audit/2022-12-notional/blob/main/contracts/vaults/balancer/internal/pool/TwoTokenPoolUtils.sol#L209
Tool used
Manual Review
Recommendation
The number of strategy tokens redeemed needs to be deducted from the vault's
totalStrategyTokenGlobal
regardless of thebptClaim
value. Otherwise, the vault'stotalStrategyTokenGlobal
will not be in sync.When
bptClaim
is zero, it does not always mean that no strategy token has been redeemed. Based on the current vault implementation, thebptClaim
might be zero because the number of strategy tokens to be redeemed is too small and thus it causes Solidity to round down to zero.The text was updated successfully, but these errors were encountered: