koxuan - missing implementation in HardVault causes it to serve no purpose

[github-actions]

koxuan

high

missing implementation in HardVault causes it to serve no purpose

Summary

HardVault is meant to serve asset classes of LP or wrapped tokens. However, HardVault does not do mint of compound fork protocol tokens which will deposit the underlying assets, causing HardVault to be isolated from the rest of the protocol and not serving any purpose.

Vulnerability Detail

Notice that deposit in HardVault does not call cToken mint unlike in SoftVault, it just deposits and issues erc1155 tokens in return, isolated from the rest of the blueberry protocol.

    function deposit(address token, uint256 amount)
        external
        override
        nonReentrant
        returns (uint256 shareAmount)
    {
        if (amount == 0) revert ZERO_AMOUNT();
        IERC20Upgradeable uToken = IERC20Upgradeable(token);
        uint256 uBalanceBefore = uToken.balanceOf(address(this));
        uToken.safeTransferFrom(msg.sender, address(this), amount);
        uint256 uBalanceAfter = uToken.balanceOf(address(this));

        shareAmount = uBalanceAfter - uBalanceBefore;
        _mint(msg.sender, uint256(uint160(token)), shareAmount, "");

        emit Deposited(msg.sender, amount, shareAmount);
    }

Same for withdraw, it takes in erc 1155 tokens and returns the underlying asset back to user without calling redeem from Compound token.

    function withdraw(address token, uint256 shareAmount)
        external
        override
        nonReentrant
        returns (uint256 withdrawAmount)
    {
        if (shareAmount == 0) revert ZERO_AMOUNT();
        IERC20Upgradeable uToken = IERC20Upgradeable(token);
        _burn(msg.sender, uint256(uint160(token)), shareAmount);
        withdrawAmount = shareAmount;


        // Cut withdraw fee if it is in withdrawVaultFee Window (2 months)
        if (
            block.timestamp <
            config.withdrawVaultFeeWindowStartTime() +
                config.withdrawVaultFeeWindow()
        ) {
            uint256 fee = (withdrawAmount * config.withdrawVaultFee()) /
                DENOMINATOR;
            uToken.safeTransfer(config.treasury(), fee);
            withdrawAmount -= fee;
        }
        uToken.safeTransfer(msg.sender, withdrawAmount);


        emit Withdrawn(msg.sender, withdrawAmount, shareAmount);
    }
}

Impact

According to protocol team on discord, HardVault works the same as SoftVault except for the fact that it is meant to serve asset classes of LP or wrapped tokens. Impact would be LP or wrapped tokens will not be able to be used as underlying assets for blueberry protocol.

Code Snippet

HardVault.sol#L68-L84
HardVault.sol#L91-L117

Tool used

Manual Review

Recommendation

Recommend implementing the Compound token deposit and redeem logic.

Duplicate of #147