This repository has been archived by the owner on Feb 18, 2024. It is now read-only.
0x52 - ConvexSpell is completely broken for any curve LP that utilizes native ETH #105
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
Medium
A valid Medium severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
0x52
medium
ConvexSpell is completely broken for any curve LP that utilizes native ETH
Summary
When a Curve pool utilizes native ETH it uses the address
0xeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
. This is problematic because it will try to call balanceOf on this address which will always revert.Vulnerability Detail
ConvexSpell.sol#L120-L127
ConvexSpell#openPositionFarm attempts to call balanceOf on each component of the LP. Since native ETH uses the
0xeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
this call will always revert. This breaks compatibility with EVERY curve pool that uses native ETH which make most of the highest volume pools on the platfrom.Impact
ConvexSpell is completely incompatible with a majority of Curve pools
Code Snippet
ConvexSpell.sol#L92-L173
Tool used
Manual Review
Recommendation
I would recommend conversion between native ETH and wETH to prevent this issue.
The text was updated successfully, but these errors were encountered: