Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wickie - The vault cannot empty funds from a market when removing it. #486

Closed
sherlock-admin2 opened this issue Sep 10, 2024 · 0 comments
Closed

wickie - The vault cannot empty funds from a market when removing it. #486

sherlock-admin2 opened this issue Sep 10, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Sep 10, 2024
edited by sherlock-admin3
Loading

wickie

Medium

The vault cannot empty funds from a market when removing it.

Summary

To remove a market from the vault, the protocol recommends emptying a market first using CuratedVault::reallocate() and removing it with updateWithdrawQueue() as stated in the docs.( https://github.com/zerolend/zerolend-one/wiki/CuratedVault ) However, this is not possible because of a mistake in the reallocate(). CuratedVault.sol:250

Root Cause

To empty a market the allocator is to pass 0 in allocations.assets.
CuratedVault.sol:232

  function reallocate(MarketAllocation[] calldata allocations) external onlyAllocator {

However, In CuratedVault.sol:247-250, if allocation.assets == 0, it sets the toWithdraw to 0

        // Guarantees that unknown frontrunning donations can be withdrawn, in order to disable a market.
        uint256 shares;
        if (allocation.assets == 0) {
          shares = supplyShares;
          toWithdraw = 0;
        }

Then the function tries to call pool.withdrawSimple with toWithdraw as 0. (CuratedVault.sol:253)

        DataTypes.SharesType memory burnt = pool.withdrawSimple(asset(), address(this), toWithdraw, 0);

This would result in the function reverting, as it does not take zero as input. (ValidationLogic.sol:97)

Internal pre-conditions

The allocator of the vault needs to call reallocate().

External pre-conditions

None

Attack Path

None

Impact

This would leave the vault no choice but to remove a market via CuratedVault::submitMarketRemoval() and updateWithdrawQueue(), which would leave to loss of funds of the market. Because of this bug, the only way to reallocate or empty funds from a market would be to ask all the suppliers of the vault to withdraw their funds, removing the market and asking them to supply back.

PoC

No response

Mitigation

If the developers want to make sure unknown front-running donations are withdrawn, simply set the toWithdraw to type(uint256).max. This will withdraw the whole vault balance of this particular market.(SupplyLogic.sol:121)

solidity
-       uint256 shares;
        if (allocation.assets == 0) {
-       shares = supplyShares;
-          toWithdraw = 0;
+         toWithdraw = type(uint256).max;
        }

Duplicate of #434
@github-actions github-actions bot added Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. labels Sep 20, 2024
@sherlock-admin3 sherlock-admin3 changed the title Bent Berry Cobra - The vault cannot empty funds from a market when removing it. wickie - The vault cannot empty funds from a market when removing it. Oct 3, 2024
@sherlock-admin3 sherlock-admin3 added the Reward A payout will be made for this issue label Oct 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin2 @sherlock-admin3