You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on May 26, 2023. It is now read-only.
github-actionsbot opened this issue
Mar 1, 2023
· 0 comments
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
missing implementation in HardVault causes it to serve no purpose
Summary
HardVault is meant to serve asset classes of LP or wrapped tokens. However, HardVault does not do mint of compound fork protocol tokens which will deposit the underlying assets, causing HardVault to be isolated from the rest of the protocol and not serving any purpose.
Vulnerability Detail
Notice that deposit in HardVault does not call cToken mint unlike in SoftVault, it just deposits and issues erc1155 tokens in return, isolated from the rest of the blueberry protocol.
According to protocol team on discord, HardVault works the same as SoftVault except for the fact that it is meant to serve asset classes of LP or wrapped tokens. Impact would be LP or wrapped tokens will not be able to be used as underlying assets for blueberry protocol.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
koxuan
high
missing implementation in HardVault causes it to serve no purpose
Summary
HardVault is meant to serve asset classes of LP or wrapped tokens. However,
HardVault
does not do mint of compound fork protocol tokens which will deposit the underlying assets, causing HardVault to be isolated from the rest of the protocol and not serving any purpose.Vulnerability Detail
Notice that
deposit
inHardVault
does not call cToken mint unlike inSoftVault
, it just deposits and issues erc1155 tokens in return, isolated from the rest of the blueberry protocol.Same for
withdraw
, it takes in erc 1155 tokens and returns the underlying asset back to user without calling redeem from Compound token.Impact
According to protocol team on discord,
HardVault
works the same asSoftVault
except for the fact that it is meant to serve asset classes of LP or wrapped tokens. Impact would be LP or wrapped tokens will not be able to be used as underlying assets for blueberry protocol.Code Snippet
HardVault.sol#L68-L84
HardVault.sol#L91-L117
Tool used
Manual Review
Recommendation
Recommend implementing the Compound token deposit and redeem logic.
Duplicate of #147
The text was updated successfully, but these errors were encountered: