Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

Latest commit

 

History

History
35 lines (19 loc) · 1.18 KB

023.md

File metadata and controls

35 lines (19 loc) · 1.18 KB
Raw

obront

high

Curve LP Controller withdraw and claim function uses wrong signature

Summary

The function signature used for WITHDRAWCLAIM in both CurveLPStakingController.sol and BalancerLPStakingController.sol are incorrect, leading to the function not succeeding.

Vulnerability Detail

In both the CurveLPStakingController.sol and BalancerLPStakingController.sol contracts, the function selector 0x00ebf5dd is used for WITHDRAWCLAIM. This selector corresponds to a function signature of withdraw(uint256,address,bool).

bytes4 constant WITHDRAWCLAIM = 0x00ebf5dd;

However, the withdraw() function in the Curve contract does not have an address argument. Instead, the function signature reads withdraw(uint256,bool), which corresponds to a function selector of 0x38d07436.

Impact

Users who have deposited assets into Curve pools will not be able to claim their rewards when they withdraw their tokens.

Code Snippet

https://github.com/sherlock-audit/2022-11-sentiment/blob/main/controller-merged/src/balancer/BalancerLPStakingController.sol#L30-L31

Tool used

Manual Review

Recommendation

Change the function selector in both contracts to 0x38d07436.