Sturdy contest - leastwood's results

Lines of code

https://github.com/code-423n4/2022-05-sturdy/blob/main/smart-contracts/ConvexCurveLPVault.sol#L87-L111

Vulnerability details

Impact

The ConvexCurveLPVault.sol contract allows users to earn a yield on curve token deposits. Rewards are paid out in native CRV and CVX tokens but the reward manager of the base pool may opt to add extra rewards. Because the reward manager has the ability to extend the list of extra rewards, they can extend it such that the processYield() function is unable to execute within a single block. As a result, the protocol effectively loses out on all yield accrued by user's deposits. This yield is forever locked in the contract as the yield is never transferred out from the vault contract.

Recommended Mitigation Steps

Consider restricting the number of extra rewards by only iterating through the first X number of tokens in processYield().

Lines of code

https://github.com/code-423n4/2022-05-sturdy/blob/main/smart-contracts/YieldManager.sol#L118-L137

Vulnerability details

Impact

processYield() restricts who can call this function to just the vault admin. Upon being processed, the treasury receives its fair share of the yield and the rest is transferred to the YieldManager.sol contract. To distribute yield, the manager calls distributeYield() to swap all reward tokens to the exchange token before depositing the yield into the lending pool.

A user can front-run this distribute action by depositing their funds into the pool, and then subsequently withdrawing their funds from the protocol after distribution. The user is rewarded for taking no risk in the protocol and they have effectively diluted the yield allocation to honest depositors of the protocol.

Recommended Mitigation Steps

Ensure that distributions are weighted according to deposit duration. It may be useful to utilise some streaming contract which is funded by yield distributions but actually spreads this yield over a number of blocks.