Omniscia vfat Audit
NftFarmStrategy Manual Review Findings
NftFarmStrategy Manual Review Findings
NFS-01M: Inexistent Guarantee of Fee Capture
| Type | Severity | Location |
|---|---|---|
| Logical Fault |  | NftFarmStrategy.sol:L943 |
Description:
The NftFarmStrategy::_zap_out function will rely on a tokensOut parameter to deduce which tokens it should charge a fee for which may not match the actual zapped-out assets of the overall operation, permitting the fees of several operations to be avoided.
Impact:
It is presently possible to avoid the fees charged by several of the functions within the NftFarmStrategy by passing in a carefully crafted NftWithdraw::tokensOut entry.
Example:
929function _zap_out(930 Sickle sickle,931 NftWithdraw calldata params,932 bytes4 withdrawalFee933) private {934 address[] memory targets = new address[](2);935 bytes[] memory data = new bytes[](2);936
937 targets[0] = address(nftZapLib);938 data[0] = abi.encodeCall(INftZapLib.zapOut, (params.zap));939
940 targets[1] = address(feesLib);941 data[1] = abi.encodeCall(942 IFeesLib.chargeFees,943 (strategyAddress, withdrawalFee, params.tokensOut)944 );945
946 sickle.multicall(targets, data);947}Recommendation:
As the zap-out mechanism is invoked via several complex workflows (i.e. any that relies on NftFarmStrategy::_withdraw), we advise the code to either propagate a top-level argument all the way to the NftFarmStrategy::_zap_out implementation to denote which tokens fees should be charged for, or the output of the zap-out operation to be utilized as the basis for charging fees.
We consider either of the advised approaches as correct in alleviating this exhibit with the former being the most accurate one.
Alleviation (6ab7af3bb495b817ffec469255ea679b1813eecb):
The vfat team evaluated this exhibit and while they consider it to be valid, they do not believe it constitutes an active risk toward users and thus wish to address it at a later date.
As the assessment of the vfat team is correct and the sole impact of the exhibit is toward the protocol itself, we consider this exhibit to have been safely acknowledged.