Submission Details
Severity:
Protocol uses CurveRegistryExchange which is outdated
Summary
For exchanging tokens protocol may use his CurveAdapter.sol which relies on CurveRegistryExchange which is outdated. Link
Vulnerability Details
CurveAdapter.sol uses ICurveSwapRouter.sol interface to call CurveRegistryExchange but now it's outdated and does not consider all liquidity pools:
interface ICurveSwapRouter {
/// https://docs.curve.fi/router/CurveRegistryExchange/?h=#exchange_with_best_rate
/// @notice Finds the best rate and performs a swap between two tokens
/// @param _from The address of the token to swap from
/// @param _to The address of the token to swap to
/// @param _amount The amount of `fromToken` to swap
/// @param _expected The minimum acceptable amount of `toToken` to receive
/// @param _receiver The address to receive the output tokens (defaults to msg.sender if not provided)
/// @return amountOut The actual amount of `toToken` received
function exchange_with_best_rate(
address _from,
address _to,
uint256 _amount,
uint256 _expected,
address _receiver
)
external
payable
returns (uint256 amountOut);
}
Impact
CurveRegistryExchange contract is outdated, it does not support new pools
Tools Used
Manual Review
Recommendations
It is recommended to switch to CurveRouterNG
Updates
Lead Judging Commences
inallhonesty 10 months ago
Submission Judgement Published Assigned finding tags:
Protocol uses CurveRegistryExchange which is outdated
Prize pool breakdown
Total prize
70,000 USDC
nSLOC
3,25821
USDC / LOC
66,500
3,500
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.