You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA Medium severity issue.RewardA payout will be made for this issue
reallocate function of CuratedVault can not withdraw fully from a Pool due to wrong handle of allocation.assets == 0.
Summary
During the allocation of funds on a CuratedVault, allocator is supposed to pass allocation.assets = 0 if he wants to withdraw fully from a Pool but this case is not handled correctly.
Vulnerability Detail
When the allocator in a Pool wants to reallocate funds from one Pool to another, is supposed to call the reallocate function and pass the target assets he wants to have every Pool. We can see the implementation here :
function reallocate(MarketAllocation[] calldataallocations) external onlyAllocator {
uint256 totalSupplied;
uint256 totalWithdrawn;
for (uint256 i; i < allocations.length; ++i) {
MarketAllocation memory allocation = allocations[i];
IPool pool = allocation.market;
(uint256supplyAssets, uint256supplyShares) =_accruedSupplyBalance(pool);
uint256 toWithdraw = supplyAssets.zeroFloorSub(allocation.assets);
if (toWithdraw >0) {
if (!config[pool].enabled) revert CuratedErrorsLib.MarketNotEnabled(pool);
// Guarantees that unknown frontrunning donations can be withdrawn, in order to disable a market.
otalSupplied += suppliedAssets;
}
}
if (totalWithdrawn != totalSupplied) revert CuratedErrorsLib.InconsistentReallocation();
}
When he wants to move out every token from a Pool, he is supposed to put as parameter the 0 amount and must withdraw the whole balance of the CuratedVault from that Pool. However, as we can see in the implementation, when the allocation.assets == 0, the function instead of passing the type(uint256).max amount, it is passing the 0 amount which basically says to the Pool "withdraw nothing". This clearly goes against the intented behavior of the protocol.
Impact
The impact of this vulnerability is serious since this means that the CuratedVault is forced to let some amount on a Pool that the allocator wants to fully exit out of it. Also, it is clear that the reallocation of the funds during the call will not work and be executed as expected since the Pool will not be drained out with no funds.
sherlock-admin3
changed the title
Polished Iris Antelope - reallocate function of CuratedVault can not withdraw fully from a Pool due to wrong handle of allocation.assets == 0.
zarkk01 - reallocate function of CuratedVault can not withdraw fully from a Pool due to wrong handle of allocation.assets == 0.
Oct 3, 2024
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA Medium severity issue.RewardA payout will be made for this issue
zarkk01
Medium
reallocate
function ofCuratedVault
can not withdraw fully from aPool
due to wrong handle ofallocation.assets == 0
.Summary
During the allocation of funds on a
CuratedVault
, allocator is supposed to passallocation.assets = 0
if he wants to withdraw fully from aPool
but this case is not handled correctly.Vulnerability Detail
When the allocator in a Pool wants to
reallocate
funds from onePool
to another, is supposed to call thereallocate
function and pass the target assets he wants to have everyPool
. We can see the implementation here :When he wants to move out every token from a
Pool
, he is supposed to put as parameter the 0 amount and must withdraw the whole balance of theCuratedVault
from thatPool
. However, as we can see in the implementation, when theallocation.assets == 0
, the function instead of passing thetype(uint256).max
amount, it is passing the 0 amount which basically says to thePool
"withdraw nothing". This clearly goes against the intented behavior of the protocol.Impact
The impact of this vulnerability is serious since this means that the
CuratedVault
is forced to let some amount on aPool
that the allocator wants to fully exit out of it. Also, it is clear that thereallocation
of the funds during the call will not work and be executed as expected since thePool
will not be drained out with no funds.Code Snippet
https://github.com/sherlock-audit/2024-06-new-scope/blob/main/zerolend-one/contracts/core/vaults/CuratedVault.sol#L232C1-L276C4
Tool used
Manual Review
Recommendation
Consider making this change so to produce the intented functionality :
Duplicate of #434
The text was updated successfully, but these errors were encountered: