obront
medium
The deposit() function on the Curve staking contract (used in CurveLPStakingController.sol and BalancerLPStakingController.sol) has two optional parameters: _addr and _claim_rewards.
The controller allows for neither of these parameters to be passed, or for both to be passed, but does not include the signature for when just one of the arguments is passed.
The Vyper contract for Curve LP staking has a deposit function with the following signature:
def deposit(_value: uint256, _addr: address = msg.sender, _claim_rewards: bool = False):This function has a required _value argument, and optional _addr and _claim_rewards arguments.
To pass an optional argument in Vyper, we must pass all the earlier optional arguments. In other words, we are not able to call deposit(uint256,bool) because we can't pass the bool without the address.
However, we are allowed to pass earlier optional arguments and ignore later ones. Therefore, deposit(uint256,address) is a valid function signature that a user could call to specify the address for the deposit without claiming rewards.
This function has a function signature of 0x6e553f65 and should be included in the whitelisted functions in the Controller.
Users are limited in the actions they can take due to an oversight in function signatures.
Manual Review
Include the 0x6e553f65 function signature in both the CurveLPStakingController.sol and BalancerLPStakingController.sol contracts.