Router could be enabled by mistake which will lead to funds loss
Summary
There is no information about the SmartVaultManagerV5::swapRouter variable in the contract code, but if it is set, it will lead to protocol funds loss due to a known bug in SmartVaultV3::swap.
Vulnerability Details
There was a hack of the protocol (see details here). To mitigate it:
SmartVaultManagerV5::swapRouterwas set to the zero address (https://arbiscan.io/tx/0xa70011c81471401dd6683994542ed63d99c9177bcdc500a5803e9af4ac7f394e).The setter for
SmartVaultManagerV5::swapRouterwas removed.A new variable
SmartVaultManagerV5::swapRouter2was introduced.
But there is no information about why SmartVaultManagerV5::swapRouter is not used. In several years, this knowledge could be forgotten, and the variable could be re-used. After this variable is set, old vaults will be vulnerable again since MINTER_ROLE wasn't revoked from vulnerable vaults.
Even in the Discord channel of the contest, there were questions about why this variable is not re-used.
Impact
If the variable is set, users of already deployed vaults could create unlimited bad debt using the bug described here.
Tools Used
Manual review
Recommended Mitigation
Write a detailed doc block for
SmartVaultManagerV5::swapRouterexplaining why it should never be used.Revoke
MINTER_ROLEfrom the vulnerable vaults (and ask users to migrate funds to the new vaults).
Lead Judging Commences
informational/invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.