obront - HardVault never deposits assets to Compound

[github-actions]

obront

medium

HardVault never deposits assets to Compound

Summary

While the protocol states that all underlying assets are deposited to their Compound fork to earn interest, it appears this action never happens in HardVault.sol.

Vulnerability Detail

The documentation and comments seem to make clear that all assets deposited to HardVault.sol should be deposited to Compound to earn yield:

/**
    * @notice Deposit underlying assets on Compound and issue share token
    * @param amount Underlying token amount to deposit
    * @return shareAmount cToken amount
    */
function deposit(address token, uint256 amount) { ... }

/**
    * @notice Withdraw underlying assets from Compound
    * @param shareAmount Amount of cTokens to redeem
    * @return withdrawAmount Amount of underlying assets withdrawn
    */
function withdraw(address token, uint256 shareAmount) { ... }

However, if we examine the code in these functions, there is no movement of the assets to Compound. Instead, they sit in the Hard Vault and doesn't earn any yield.

Impact

Users who may expect to be earning yield on their underlying tokens will not be.

Code Snippet

https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/vault/HardVault.sol#L68-L116

Tool used

Manual Review

Recommendation

Either add the functionality to the Hard Vault to have the assets pulled from the ERC1155 and deposited to the Compound fork, or change the comments and docs to be clear that such underlying assets will not be receiving any yield.