Bauer - auraPools.deposit and auraPools.withdraw boolean return value not handled in WAuraPools.sol

Question

Bauer - auraPools.deposit and auraPools.withdraw boolean return value not handled in WAuraPools.sol

Closed this issue a year ago · 1 comments

sherlock-admin commented a year ago

Bauer

medium

auraPools.deposit and auraPools.withdraw boolean return value not handled in WAuraPools.sol

Summary

auraPools.deposit() and auraPools.withdraw() boolean return value not handled in WAuraPools.sol

Vulnerability Detail

The WAuraPools.mint() function allows users to deposit "amount" of a specific pool token, identified by "pid". The deposited tokens are then transferred from the user's address to the contract's address. The function also ensures that the contract is approved to spend the deposited tokens by calling the "_ensureApprove" function with the specified amount.
The deposit() function of the auraPools contract is then called to deposit the tokens into the specified pool.
However, the protocol does not handle the AuraPool.withdrawAndUnwrap() boolean return value.

 function mint(
        uint256 pid,
        uint256 amount
    ) external nonReentrant returns (uint256 id) {
        (address lpToken, , , address crvRewarder, , ) = getPoolInfoFromPoolId(
            pid
        );
        IERC20Upgradeable(lpToken).safeTransferFrom(
            msg.sender,
            address(this),
            amount
        );

        _ensureApprove(lpToken, address(auraPools), amount);
        auraPools.deposit(pid, amount, true);

        uint256 crvRewardPerToken = IAuraRewarder(crvRewarder).rewardPerToken();
        id = encodeId(pid, crvRewardPerToken);
        _mint(msg.sender, id, amount, "");
        // Store extra rewards info
        uint extraRewardsCount = IAuraRewarder(crvRewarder)
            .extraRewardsLength();
        for (uint i = 0; i < extraRewardsCount; i++) {
            address extraRewarder = IAuraRewarder(crvRewarder).extraRewards(i);
            uint rewardPerToken = IAuraRewarder(extraRewarder).rewardPerToken();
            accExtPerShare[id].push(rewardPerToken);
        }
    }

In the AuraBooster implmenetation, a Boolean is indeed returned to acknowledge that deposit is completely successfully.

https://etherscan.io/address/0x7818A1DA7BD1E64c199029E86Ba244a9798eEE10#code#F34#L1

  /**
     * @notice  Deposits an "_amount" to a given gauge (specified by _pid), mints a `DepositToken`
     *          and subsequently stakes that on Convex BaseRewardPool
     */
    function deposit(uint256 _pid, uint256 _amount, bool _stake) public returns(bool){

The same issue for auraPools.withdraw()

Impact

If the boolean value is not handled, the transaction may fail silently.

Code Snippet

https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/wrapper/WAuraPools.sol#L209
https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/wrapper/WAuraPools.sol#L248

Tool used

Manual Review

Recommendation

Recommend checking for success return value

  bool depositSuccess =   auraPools.deposit(pid, amount, true);
 require(depositSuccess , 'deposit failed');

Answer 1 · 2023-05-07T11:45:23.000Z

This issue has been invalidated before in a previous contest as deposit & withdraw can only return true or revert.