Submission Details
Severity:
All strategies can be removed by "onlyOwner"
Summary
All strategies can be removed by "onlyOwner".
Vulnerability Details
The current implementation of the `removeStrategy` function allows the owner to remove any strategy, including the possibility of removing all strategies.
**/
function removeStrategy(
uint256 _index,
bytes memory _strategyUpdateData,
bytes calldata _strategyWithdrawalData
) external onlyOwner {
require(_index < strategies.length, "Strategy does not exist");
uint256[] memory idxs = new uint256[]();
idxs[0] = _index;
_updateStrategyRewards(idxs, _strategyUpdateData);
IStrategy strategy = IStrategy(strategies[_index]);
uint256 totalStrategyDeposits = strategy.getTotalDeposits();
if (totalStrategyDeposits > 0) {
strategy.withdraw(totalStrategyDeposits, _strategyWithdrawalData);
}
for (uint256 i = _index; i < strategies.length - 1; i++) {
strategies[i] = strategies[i + 1];
}
strategies.pop();
token.safeApprove(address(strategy), 0);
}
Impact
Inability to deposit: The deposit function requires at least one strategy to be present:
require(strategies.length > 0, "Must be > 0 strategies to stake");
Tools Used
Recommendations
Implement a safeguard to prevent removing all strategies:
require(strategies.length > 1, "Cannot remove the last strategy");
Prize pool breakdown
Total prize
50,000 USDC
nSLOC
2,53020 USDC / LOC
42,000 USDC
4,250 USDC
3,750 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.