This repository has been archived by the owner on May 26, 2024. It is now read-only.
0xmuxyz - The transaction of the AuraStakingMixin#_initialApproveTokens()
may be reverted due to approving a pair token with only type(uint256).max
#93
Labels
Non-Reward
This issue will not receive a payout
Sponsor Disputed
The sponsor disputed this issue's validity
0xmuxyz
medium
The transaction of the AuraStakingMixin#
_initialApproveTokens()
may be reverted due to approving a pair token with onlytype(uint256).max
Summary
$COMP and $UNI would be reverted if these tokens is approved with an amount, which is larger than
uint96
.However, within the AuraStakingMixin#
_initialApproveTokens()
, each pair token would only be approved withtype(uint256).max
.This lead to reverting the transaction of the AuraStakingMixin#
_initialApproveTokens()
if a pair token of Aura Pool ($COMP Pool) would be $COMP.$COMP is an existing risk because the $COMP Pool (50COMP-50wstETH Pool) has existed as an Aura Pool.
If the $UNI Pool would be listed on Aura Pool in the future, $UNI will be facing this vulnerability as well.
$COMP is an existing risk because the $COMP Pool (50COMP-50wstETH Pool) has existed as an Aura Pool. On the other hand, $UNI is a potential risk in the future.
Vulnerability Detail
Within the AuraStakingMixin#
_initialApproveTokens()
, thetokens[i].checkApprove()
(TokenUtils#checkApprove()
) would be called like this:https://github.com/sherlock-audit/2023-10-notional/blob/main/leveraged-vaults/contracts/vaults/balancer/mixins/AuraStakingMixin.sol#L55
Within the TokenUtils#
checkApprove()
, theamount
oftoken
would be approved like this:https://github.com/sherlock-audit/2023-10-notional/blob/main/leveraged-vaults/contracts/utils/TokenUtils.sol#L30
According to the "Revert on Large Approvals & Transfers", $UNI and $COMP would be reverted if these tokens is approved with an amount, which is larger than
uint96
like this:According to the Aura Finance, the $COMP Pool (50COMP-50wstETH Pool) has existed as an Aura Pool like this:
https://app.aura.finance/#/1/pool/90
Based on above, in case of $COMP Pool on Aura, $COMP must be approved with less than
type(uint96).max
.However, within the AuraStakingMixin#
_initialApproveTokens()
, each pair token would only be approved withtype(uint256).max
like this:https://github.com/sherlock-audit/2023-10-notional/blob/main/leveraged-vaults/contracts/vaults/balancer/mixins/AuraStakingMixin.sol#L55
This lead to reverting the transaction when the AuraStakingMixin#
_initialApproveTokens()
would be called.More further, according to the Q&A,
any
token could be used like this:This means that once $UNI Pool would be listed on Aura in the future, this vulnerability will also be problematic.
Impact
This vulnerability lead to reverting the transaction when the AuraStakingMixin#
_initialApproveTokens()
would be called if a pair token of Aura Pool would be $COMP (or $UNI).As I mentioned above, $COMP is an existing risk because the $COMP Pool (50COMP-50wstETH Pool) has existed as an Aura Pool. On the other hand, $UNI is a potential risk in the future.
Code Snippet
Tool used
Recommendation
Within the AuraStakingMixin#
_initialApproveTokens()
, consider approving a pair token withtype(uint96).max
if a pair token of Aura Pool ($COMP Pool or $UNI Pool) would be $COMP or $UNI like this:The text was updated successfully, but these errors were encountered: