This repository has been archived by the owner on May 26, 2024. It is now read-only.
xiaoming90 - Single-sided instead of proportional exit is performed during emergency exit #87
Labels
High
A valid High severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
xiaoming90
high
Single-sided instead of proportional exit is performed during emergency exit
Summary
Single-sided instead of proportional exit is performed during emergency exit, which could lead to a loss of assets during emergency exit and vault restoration.
Vulnerability Detail
Per the comment in Line 476 below, the BPT should be redeemed proportionally to underlying tokens during an emergency exit. However, it was found that the
_unstakeAndExitPool
function is executed with theisSingleSided
parameter set totrue
.https://github.com/sherlock-audit/2023-10-notional/blob/main/leveraged-vaults/contracts/vaults/common/SingleSidedLPVaultBase.sol#L480
If the
isSingleSided
is set toTrue
, theEXACT_BPT_IN_FOR_ONE_TOKEN_OUT
will be used, which is incorrect. Per the Balancer's documentation,EXACT_BPT_IN_FOR_ONE_TOKEN_OUT
is a single asset exit where the user sends a precise quantity of BPT, and receives an estimated but unknown (computed at run time) quantity of a single token.To perform a proportional exit, the
EXACT_BPT_IN_FOR_TOKENS_OUT
should be used instead.https://github.com/sherlock-audit/2023-10-notional/blob/main/leveraged-vaults/contracts/vaults/BalancerComposableAuraVault.sol#L67
The same issue affects the Curve's implementation of the
_unstakeAndExitPool
function.Impact
The following are some of the impacts of this issue, which lead to loss of assets:
Redeeming LP tokens one-sided incurs unnecessary slippage as tokens have to be swapped internally to one specific token within the pool, resulting in fewer assets received.
Per the source code comment below, in other words, unless a proportional exit is performed, the emergency exit will be subjected to front-run attack and slippage.
After the emergency exit, the vault only held one of the pool tokens. To re-enter the pool, the vault has to either swap the token to other pool tokens on external DEXs to maintain the proportion or perform a single-sided join. Both of these methods will incur unnecessary slippage, resulting in fewer LP tokens received at the end.
Code Snippet
https://github.com/sherlock-audit/2023-10-notional/blob/main/leveraged-vaults/contracts/vaults/common/SingleSidedLPVaultBase.sol#L480
https://github.com/sherlock-audit/2023-10-notional/blob/main/leveraged-vaults/contracts/vaults/BalancerComposableAuraVault.sol#L67
https://github.com/sherlock-audit/2023-10-notional/blob/main/leveraged-vaults/contracts/vaults/Curve2TokenConvexVault.sol#L80
Tool used
Manual Review
Recommendation
Set the
isSingleSided
parameter tofalse
when calling the_unstakeAndExitPool
function to ensure that the proportional exit is performed.The text was updated successfully, but these errors were encountered: