Bauer - auraPools.deposit and auraPools.withdraw boolean return value not handled in WAuraPools.sol
Closed this issue · 1 comments
Bauer
medium
auraPools.deposit and auraPools.withdraw boolean return value not handled in WAuraPools.sol
Summary
auraPools.deposit() and auraPools.withdraw() boolean return value not handled in WAuraPools.sol
Vulnerability Detail
The WAuraPools.mint()
function allows users to deposit "amount" of a specific pool token, identified by "pid". The deposited tokens are then transferred from the user's address to the contract's address. The function also ensures that the contract is approved to spend the deposited tokens by calling the "_ensureApprove" function with the specified amount.
The deposit()
function of the auraPools
contract is then called to deposit the tokens into the specified pool.
However, the protocol does not handle the AuraPool.withdrawAndUnwrap() boolean return value.
function mint(
uint256 pid,
uint256 amount
) external nonReentrant returns (uint256 id) {
(address lpToken, , , address crvRewarder, , ) = getPoolInfoFromPoolId(
pid
);
IERC20Upgradeable(lpToken).safeTransferFrom(
msg.sender,
address(this),
amount
);
_ensureApprove(lpToken, address(auraPools), amount);
auraPools.deposit(pid, amount, true);
uint256 crvRewardPerToken = IAuraRewarder(crvRewarder).rewardPerToken();
id = encodeId(pid, crvRewardPerToken);
_mint(msg.sender, id, amount, "");
// Store extra rewards info
uint extraRewardsCount = IAuraRewarder(crvRewarder)
.extraRewardsLength();
for (uint i = 0; i < extraRewardsCount; i++) {
address extraRewarder = IAuraRewarder(crvRewarder).extraRewards(i);
uint rewardPerToken = IAuraRewarder(extraRewarder).rewardPerToken();
accExtPerShare[id].push(rewardPerToken);
}
}
In the AuraBooster implmenetation, a Boolean is indeed returned to acknowledge that deposit is completely successfully.
https://etherscan.io/address/0x7818A1DA7BD1E64c199029E86Ba244a9798eEE10#code#F34#L1
/**
* @notice Deposits an "_amount" to a given gauge (specified by _pid), mints a `DepositToken`
* and subsequently stakes that on Convex BaseRewardPool
*/
function deposit(uint256 _pid, uint256 _amount, bool _stake) public returns(bool){
The same issue for auraPools.withdraw()
Impact
If the boolean value is not handled, the transaction may fail silently.
Code Snippet
https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/wrapper/WAuraPools.sol#L209
https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/wrapper/WAuraPools.sol#L248
Tool used
Manual Review
Recommendation
Recommend checking for success return value
bool depositSuccess = auraPools.deposit(pid, amount, true);
require(depositSuccess , 'deposit failed');
This issue has been invalidated before in a previous contest as deposit & withdraw can only return true or revert.