This repository has been archived by the owner on May 26, 2023. It is now read-only.
yixxas - removeAdaptor() is not removing the removed money market from withdrawSeq[].
#35
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
yixxas
medium
removeAdaptor()is not removing the removed money market fromwithdrawSeq[].Summary
Removing an adaptor should also remove the corresponding element in
withdrawSeq[], but is not done so in the current implementation.Vulnerability Detail
withdrawSeq[]is used in thewithdraw()function inAssetManager.sol. It iterates over thewithdrawSeq[]array and it would still contain the removed money market. This can lead to unexpected interactions as it still tries to withdraw from the already removed money market. Furthermore, the size ofwithdrawSeq[]cannot be reduced.setWithdrawSequence()only allows changing the order of the indexes, but length must remain the same. This can lead to confusions when an admin tries to change the order of the sequence, but fails aswithdrawSeq.length > moneyMarkets.length.Impact
Unexpected interactions with a removed money market can lead to unforeseen problems and causing confusions due to how
withdrawSeq[]size would always be higher thanmoneyMarkets[]size which cannot be fixed. I believe this is an oversight by the protocol developer team.Code Snippet
https://github.com/sherlock-audit/2022-10-union-finance/blob/main/union-v2-contracts/contracts/asset/AssetManager.sol#L440-L457
https://github.com/sherlock-audit/2022-10-union-finance/blob/main/union-v2-contracts/contracts/asset/AssetManager.sol#L139-L142
https://github.com/sherlock-audit/2022-10-union-finance/blob/main/union-v2-contracts/contracts/asset/AssetManager.sol#L348-L359
Tool used
Manual Review
Recommendation
Add the logic of removing corresponding index from
withdrawSeq[]whenremoveAdaptor()is called.Duplicate of #76
The text was updated successfully, but these errors were encountered: