MultiFarmStrategy Manual Review Findings

MFS-01M: Inexistent Guarantee of Fee Capture

Type	Severity	Location
Logical Fault		MultiFarmStrategy.sol: • I-1: L99 • I-2: L158 • I-3: L205

Description:

The data entry utilized to capture the relevant harvest and compound fees in the MultiFarmStrategy contract can be arbitrarily defined by the contract's caller, permitting fees to effectively be bypassed by supplying unused tokens or an empty array.

Impact:

Fees can be presently bypassed via carefully crafted interaction payloads with the MultiFarmStrategy implementation.

Example:

Copy
202targets[1] = address(feesLib);
203data[1] = abi.encodeCall(
204    IFeesLib.chargeFees,
205    (strategyAddress, MultiFarmStrategyFees.Harvest, params.tokensOut)
206);
207
208targets[2] = address(transferLib);
209data[2] =
210    abi.encodeCall(ITransferLib.transferTokensToUser, (sweepTokens));

Recommendation:

We advise the data entry utilized for fee capturing to be sanitized, either by utilizing on-chain data to craft it or by utilizing an off-chain signature that ensures the payload has been securely generated by the vfat team's front-end; we consider either of the proposed approaches as adequate in rectifying this exhibit.

Alleviation (6ab7af3bb495b817ffec469255ea679b1813eecb):

The vfat team evaluated this exhibit and while they consider it to be valid, they do not believe it constitutes an active risk toward users and thus wish to address it at a later date.

As the assessment of the vfat team is correct and the sole impact of the exhibit is toward the protocol itself, we consider this exhibit to have been safely acknowledged.