Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-05-STURDY-FINDINGS-ISSUES-100
HistoryMay 15, 2022 - 12:00 a.m.

YieldManager: Uniswap token swaps through fixed path may break yield distribution

2022-05-1500:00:00
Code4rena
github.com
8
JSON

Lines of code
<https://github.com/code-423n4/2022-05-sturdy/blob/78f51a7a74ebe8adfd055bdbaedfddc05632566f/smart-contracts/YieldManager.sol#L179-L186&gt;
<https://github.com/code-423n4/2022-05-sturdy/blob/78f51a7a74ebe8adfd055bdbaedfddc05632566f/smart-contracts/YieldManager.sol#L48&gt;
<https://github.com/sturdyfi/code4rena-may-2022/blob/main/contracts/protocol/libraries/swap/UniswapAdapter.sol#L41-L76&gt;
<https://github.com/sturdyfi/code4rena-may-2022/blob/main/contracts/protocol/libraries/swap/UniswapAdapter.sol#L120-L127&gt;

Vulnerability details

Details & Impact

All harvested yield tokens are swapped through the Uniswap adapter to USDC. While out of scope, the Uniswap adapter code is relevant here, as I note that the path taken for the swap would be assetFrom -> WETH -> assetTo unless assetFrom is already WETH.

The main issue is the assumption and usage of the 1% fee pool regardless of asset. Those that are familiar with UniV3 will know that there are multiple pool tiers for the same asset pair. Hence, it is possible that there are other pools (Eg. the pool with 0.3% fee) where majority of the liquidity lies instead.

Furthermore, it could be possible that the pool with 1% fee isn’t****created. Thus, attempts to swap via the specified path will fail, breaking yield distribution.

Examples

WETH -> USDC

The yield manager swaps yield tokens (CRV, CVX + any additional rewards) to WETH, then to USDC, which is then swapped for other stablecoins if needed. The WETH / USDC 1% fee pool has ~$10.25M liquidity while the 0.05% fee pool has ~$250M liquidity, thus causing yield rewards to lose out due to pool slippage.

poolId 4: SUSD

The SUSD pool (Convex booster pool id 4) distributes SNX as an extra reward. The SNX/ETH 0.3% fee pool has ~$1.78M liquidity while the 1% fee pool has merely ~$36k liquidity (see Uniswap stats).

rKP3R

rKP3R is distributed as an extra reward for a number of pools. There isn’t a rKP3R / ETH pool created.

Recommended Mitigation Steps

Enable skipping conversion for some assets, and have a mapping of the pool fee as part of the customisable configuration so that pools with the best liquidity can be used.

The text was updated successfully, but these errors were encountered:

All reactions

JSON