claimAndSwap
Function - Missing Validation on Strategy Shutdown status
All Strategy contracts derived BaseStrategy which can be shutdown by the owner. Howver, claimAndSwap
function doesn't check shutdown status of the contract which allows the swap operation could continue. This could result in unexpected lock of funds or mishavior.
Here's the implementation of claimAndSwap
function of StrategyOp contract:
As seen above, there's no check while performing claim and swap operation. It permit operation calls after shutdown, which allows a keeper to claim underlying tokens, swap them into the asset, and deposit them into the transmuter.
This unintentionally reintroduces assets into the system even after it has been marked as terminated.
Allowing operations like claimAndSwap
after shutdown risks financial manipulation, system instability, and inaccurate asset tracking, potentially leading to unexpected losses or imbalances.
Furthermore, it undermines stakeholder trust, damages platform image, and decentivizes users' operations.
Manual Review
Consider blocking use of claimAndSwap
function when the strategy is shutdown. TokenizedStrategy.isShutdown()
can be used.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.