You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on May 26, 2023. It is now read-only.
github-actionsbot opened this issue
Mar 1, 2023
· 0 comments
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
IchiVaultSpell#openPositionFarm collects vault tokens and ICHI farming rewards from wIchiFarm. The collected vault tokens are re-deposited to wIchiFarm````, but the ICHI farming rewards are not collected from the spell contract.
Vulnerability Detail
if (collSize >0) {
(uint256decodedPid, ) = wIchiFarm.decodeId(collId);
if (farmingPid != decodedPid) revertINCORRECT_PID(farmingPid);
if (posCollToken !=address(wIchiFarm))
revertINCORRECT_COLTOKEN(posCollToken);
bank.takeCollateral(collSize);
wIchiFarm.burn(collId, collSize);
}
If there was an already existing farming position when calling openPositionFarm, it first takes out the collateral and redeems the underlying tokens by calling wIchiFarm.burn.
wIchiFarm.burn returns the LP tokens and ICHI farming results to the spell contract.
// 5. Deposit on farming pool, put collateralensureApprove(strategy.vault, address(wIchiFarm));
uint256 lpAmount =IERC20(strategy.vault).balanceOf(address(this));
uint256 id = wIchiFarm.mint(farmingPid, lpAmount);
bank.putCollateral(address(wIchiFarm), id, lpAmount);
The LP tokens are wrapped and deposited to the farm again, but the ICHI tokens are still left in the contract.
As written in the specs, spell contracts should not hold assets, and the extra tokens kept in the contract can be utilized by anyone calling the contract. As a result, it will result in a loss of assets and also make the contract vulnerable to back-running attacks.
Impact
User funds(reward tokens) are lost, can be target to back-running attacks
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
sinarette
high
Harvested ICHI tokens are not collected
Summary
IchiVaultSpell#openPositionFarm collects vault tokens and ICHI farming rewards from
wIchiFarm. The collected vault tokens are re-deposited to
wIchiFarm````, but the ICHI farming rewards are not collected from the spell contract.Vulnerability Detail
If there was an already existing farming position when calling
openPositionFarm
, it first takes out the collateral and redeems the underlying tokens by callingwIchiFarm.burn
.wIchiFarm.burn
returns the LP tokens and ICHI farming results to the spell contract.The LP tokens are wrapped and deposited to the farm again, but the ICHI tokens are still left in the contract.
As written in the specs, spell contracts should not hold assets, and the extra tokens kept in the contract can be utilized by anyone calling the contract. As a result, it will result in a loss of assets and also make the contract vulnerable to back-running attacks.
Impact
User funds(reward tokens) are lost, can be target to back-running attacks
Code Snippet
https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/spell/IchiVaultSpell.sol#L199-L249
Tool used
Manual Review
Recommendation
Add a collecting logic for ICHI
or re-deposit the tokens if the vault is an ICHI pair.
Duplicate of #158
The text was updated successfully, but these errors were encountered: