-
Notifications
You must be signed in to change notification settings - Fork 5
xiaoming90 - Maximum number of tokens supported is incorrect #70
Comments
I think we will probably leave it at 5 including the BPT. I'm not sure whether to confirm or deny this report, it's technically accurate but we also won't really do anything about it. |
I think this is similar to #101 in the sense that I believe notional would definitely be interested in future composable stable pools that supports 6 tokens if it is potentially profitable for the protocol. |
I think that's debatable, the 5 tokens supports the current 4 stablecoin pool on Arbitrum. As the total number of tokens increases so does the gas cost of supporting such a pool and there's some upper bound where the economics are really too complex. It's a design decision where we put that limit and I do not think we will be adding another token. I also don't think it's likely the Balancer will support such pools. In practice, I believe it is more common to see a stablecoin plus the LP token of the 4Pool in a 2 token setup. This type of nested pool is not supported by our codebase but is something we may look into in the future. |
Since this falls under this section of sherlock rules here, I am going to maintain medium since this issue and #101 was not explicitly mentioned in the docs/README as not intended, so I think it is fair that watsons bring these issues up even though it is implicitly implied, unless there is some information pointing to this.
|
Escalate |
You've created a valid escalation! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
Just to add-on:
|
@xiaoming9090 this issue is a unique issue not duplicated to any other report. |
Hey @nevillehuang , thanks for the insight. What I meant by my comments in these 2 issues is that , I don't believe this should be considered mediums in reality since they are design choices that does not really have an impact on the protocol itself. The fact that they can "miss" some possible revenue for not implementing all the pools should not be mediums in general, since this does not impose any real impact. Usually these are considered advice, and taken as low/informational, since it doesn't impose any real impact for the protocol. A protocol can choose how many pools/tokens they intend to work with and usually this can be understood from the code itself. I'm saying this because I believe this could start to be abused and hurt Sherlock in the long run, to get some easy mediums, which in reality should not be considered mediums in the security research space. That's why I escalated these issues, I let the judges take their final decision. |
I agree with your approach @VagnerAndrei26. In general, if smart contracts are valid, but the implementation differs from the documentation, I allow the issues to be a valid issue only if the expectation of the contracts working as specified in the docs will cause loss of funds. This is not the case here. Or at least the Impact section doesn't present such a scenario. Also, opportunity loss is not a loss of funds. Missing revenue because of no clients is not a loss of revenue from the security perspective. Planning to accept the escalation and consider this a low severity issue. |
It is important to note that I judged this on the condition that @xiaoming9090 and @jeffywu has no prior knowledge that this issue was not intended, that is why the potential loss of funds from missing potential revenue is relevant. The impact section did mention a potential loss of funds, but if you invalidate this on the grounds that it is simply "potential", then I don't know what to say but have to just respect it and put that into consideration for future judging. I believe this will lead to some judging inconsistencies moving forward if not sufficiently clarified.
|
Losing functionality itself doesn't lose funds. If that loss of functionality locks funds, or disables some sensitive functionality (for example, if you can't exercise an option), it may be a valid bug. There was no funds that should have gone to another party than they were allocated to. Please be careful with the work "potential" because if there is a 1% chance a probabilistic game's outcome can be manipulated, it is a "potential" exploit, but the finding would be valid. I think "opportunity loss" is a good term to classify the described loss here, and it is out of scope. I don't think it is unclear from the judging guidelines perspective. It is clear that there needs to be a loss of funds for any issue to be valid. It has also been the case in past decisions, such as this issue in Tokensoft, where the contract was rendered useless but didn't lose any funds. |
I agree and understand with your points and suggest you include something like this revolving around "potential" or "future" or whatever is the applicable word in sherlock docs, given sherlock has a completely different set of judging criteria than say other forms of audit contests/audits Imo this is not at all clear and has always been a gray area, at least for me |
Result: |
Escalations have been resolved successfully! Escalation status:
|
xiaoming90
medium
Maximum number of tokens supported is incorrect
Summary
Notional is unable to deploy the new leverage vault for a Composable Pool that has 5 stable tokens, rendering the protocol useless for such types of pools.
Vulnerability Detail
The following code taken from Balancer's composable pool shows that a composable pool can support up to 6 tokens (5 stable tokens + 1 BPT)
https://github.com/balancer/balancer-v2-monorepo/blob/c7d4abbea39834e7778f9ff7999aaceb4e8aa048/pkg/pool-stable/contracts/ComposableStablePoolStorage.sol#L206
https://github.com/balancer/balancer-v2-monorepo/blob/c7d4abbea39834e7778f9ff7999aaceb4e8aa048/pkg/pool-stable/contracts/StableMath.sol#L32
However, the Notional's leverage vault only supports up to a total of five (5) pool tokens. As a result, any composable pool with a total of 6 tokens is incompatible with the leverage vault.
https://github.com/sherlock-audit/2023-10-notional/blob/main/leveraged-vaults/contracts/vaults/common/SingleSidedLPVaultBase.sol#L40
https://github.com/sherlock-audit/2023-10-notional/blob/main/leveraged-vaults/contracts/vaults/balancer/mixins/BalancerPoolMixin.sol#L89
Impact
Notional is unable to deploy the new leverage vault for a Composable Pool that has 5 stable tokens, rendering the protocol useless for such types of pools.
In addition, if the affected vaults cannot be used, it leads to a loss of revenue for the protocol.
Code Snippet
https://github.com/sherlock-audit/2023-10-notional/blob/main/leveraged-vaults/contracts/vaults/common/SingleSidedLPVaultBase.sol#L40
https://github.com/sherlock-audit/2023-10-notional/blob/main/leveraged-vaults/contracts/vaults/balancer/mixins/BalancerPoolMixin.sol#L89
Tool used
Manual Review
Recommendation
Consider supporting up to a total of 6 pool tokens to ensure that all composable pools work with the leverage vault.
The text was updated successfully, but these errors were encountered: