You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
iamnmt - Wrong implementation of CuratedVault#reallocate when allocation.assets = 0 will cause unknown frontrunning donations can not be withdrawn
#194
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA Medium severity issue.RewardA payout will be made for this issue
function reallocate(MarketAllocation[] calldataallocations) external onlyAllocator {
uint256 totalSupplied;
uint256 totalWithdrawn;
for (uint256 i; i < allocations.length; ++i) {
MarketAllocation memory allocation = allocations[i];
IPool pool = allocation.market;
(uint256supplyAssets, uint256supplyShares) =_accruedSupplyBalance(pool);
uint256 toWithdraw = supplyAssets.zeroFloorSub(allocation.assets);
if (toWithdraw >0) {
if (!config[pool].enabled) revert CuratedErrorsLib.MarketNotEnabled(pool);
1>// Guarantees that unknown frontrunning donations can be withdrawn, in order to disable a market.uint256 shares;
if (allocation.assets ==0) {
shares = supplyShares;
2> toWithdraw =0;
}
3> DataTypes.SharesType memory burnt = pool.withdrawSimple(asset(), address(this), toWithdraw, 0);
emit CuratedEventsLib.ReallocateWithdraw(_msgSender(), pool, burnt.assets, burnt.shares);
totalWithdrawn += burnt.assets;
} else {
...
}
...
From the code comment at 1>, when allocation.assets = 0, all the assets of a pool must be withdrawn.
But when allocation.assets == 0, toWithdraw is set to zero (2>), then this value is passed to pool#withdrawSimple (3>). The withdrawSimple function will revert because the check validateWithdraw fails
As a result, the reallocate function will revert when allocation.assets = 0.
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
An attacker still can front-run deposit to a pool. The allocator can not withdraw all the funds from a pool because the reallocate function will revert when allocation.assets = 0 will revert.
Impact
Because the reallocate function will revert when allocation.assets = 0, the protocol can not withdraw all the unknown frontrunning donations, in order to disable a market.
PoC
No response
Mitigation
Fix the implementation of reallocate when allocation.assets = 0
sherlock-admin3
changed the title
Careful Fleece Pike - Wrong implementation of CuratedVault#reallocate when allocation.assets = 0 will cause unknown frontrunning donations can not be withdrawn
iamnmt - Wrong implementation of CuratedVault#reallocate when allocation.assets = 0 will cause unknown frontrunning donations can not be withdrawn
Oct 3, 2024
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA Medium severity issue.RewardA payout will be made for this issue
iamnmt
Medium
Wrong implementation of
CuratedVault#reallocate
whenallocation.assets = 0
will cause unknown frontrunning donations can not be withdrawnSummary
Wrong implementation of
CuratedVault#reallocate
whenallocation.assets = 0
will cause unknown frontrunning donations can not be withdrawn.Root Cause
Per the Sherlock rules:
In the
CuratedVault#reallocate
functionhttps://github.com/sherlock-audit/2024-06-new-scope/blob/c8300e73f4d751796daad3dadbae4d11072b3d79/zerolend-one/contracts/core/vaults/CuratedVault.sol#L232C12-L232C22
From the code comment at
1>
, whenallocation.assets = 0
, all the assets of a pool must be withdrawn.But when
allocation.assets == 0
,toWithdraw
is set to zero (2>
), then this value is passed topool#withdrawSimple
(3>
). ThewithdrawSimple
function will revert because the checkvalidateWithdraw
failshttps://github.com/sherlock-audit/2024-06-new-scope/blob/c8300e73f4d751796daad3dadbae4d11072b3d79/zerolend-one/contracts/core/pool/logic/ValidationLogic.sol#L97
As a result, the
reallocate
function will revert whenallocation.assets = 0
.Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
An attacker still can front-run deposit to a pool. The allocator can not withdraw all the funds from a pool because the
reallocate
function will revert whenallocation.assets = 0
will revert.Impact
Because the
reallocate
function will revert whenallocation.assets = 0
, the protocol can not withdraw all the unknown frontrunning donations, in order to disable a market.PoC
No response
Mitigation
Fix the implementation of
reallocate
whenallocation.assets = 0
Duplicate of #434
The text was updated successfully, but these errors were encountered: