This repository has been archived by the owner on May 26, 2024. It is now read-only.
xiaoming90 - Native ETH not received when removing liquidity from Curve V2 pools #86
Labels
High
A valid High severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
xiaoming90
high
Native ETH not received when removing liquidity from Curve V2 pools
Summary
Native ETH was not received when removing liquidity from Curve V2 pools due to the mishandling of Native ETH and WETH, leading to a loss of assets.
Vulnerability Detail
Curve V2 pool will always wrap to WETH and send to leverage vault unless the
use_eth
is explicitly set toTrue
. Otherwise, it will default toFalse
. The following implementation of theremove_liquidity_one_coin
function taken from one of the Curve V2 pools shows that unless theuse_eth
is set toTrue
, theWETH.deposit()
will be triggered to wrap the ETH, and WETH will be transferred back to the caller. The same is true for theremove_liquidity
function, but it is omitted for brevity.https://etherscan.io/address/0x0f3159811670c117c372428d4e69ac32325e4d0f#code
Notional's Leverage Vault only works with Native ETH. It was found that the
remove_liquidity_one_coin
andremove_liquidity
functions are executed without explicitly setting theuse_eth
parameter toTrue
. Thus, WETH instead of Native ETH will be returned during remove liquidity. As a result, these WETH will not be accounted for in the vault and result in a loss of assets.https://github.com/sherlock-audit/2023-10-notional/blob/main/leveraged-vaults/contracts/vaults/Curve2TokenConvexVault.sol#L83C17-L83C77
Impact
Following are some of the impacts due to the mishandling of Native ETH and WETH during liquidity removal in Curve pools, leading to loss of assets:
Within the
redeemFromNotional
, if the vaults consist of ETH, the_UNDERLYING_IS_ETH
will be set to true. In this case, the code will attempt to calltransfer
to transfer Native ETH, which will fail as Native ETH is not received and users/Notional are unable to redeem.WETH will be received instead of Native ETH during the emergency exit. During vault restoration, WETH is not re-entered into the pool as only Native ETH residing in the vault will be transferred to the pool. Leverage vault only works with Native ETH, and if one of the pool tokens is WETH, it will be converted to Native ETH (0x0 or 0xEeeee) during deployment/initialization. Thus, the WETH is stuck in the vault. This causes the value per share to drop significantly. (Reference)
Code Snippet
https://github.com/sherlock-audit/2023-10-notional/blob/main/leveraged-vaults/contracts/vaults/Curve2TokenConvexVault.sol#L83C17-L83C77
Tool used
Manual Review
Recommendation
If one of the pool tokens is ETH, consider setting
is_eth
to true when callingremove_liquidity_one_coin
andremove_liquidity
functions to ensure that Native ETH is sent back to the vault.The text was updated successfully, but these errors were encountered: