Omniscia vfat Audit

VelodromeRouterConnector Manual Review Findings

VelodromeRouterConnector Manual Review Findings

VRC-01M: Inexistent Approval of LP Units

Description:

The VelodromeRouterConnector::removeLiquidity function does not approve the LP asset that will ultimately be burned to extract the relevant funds, rendering the integration incompatible.

Impact:

The current VelodromeRouterConnector::removeLiquidity function implementation is incompatible with the Velodrome Finance implementation as it does not provide an adequate approval of the LP units removed toward the router implementation.

Example:

contracts/connectors/velodrome/VelodromeRouterConnector.sol
43function removeLiquidity(
44    RemoveLiquidityParams memory removeLiquidityParams
45) external override {
46    VelodromeLiquidityExtraData memory _extraData = abi.decode(
47        removeLiquidityParams.extraData, (VelodromeLiquidityExtraData)
48    );
49    IRouter(removeLiquidityParams.router).removeLiquidity(
50        removeLiquidityParams.tokens[0],
51        removeLiquidityParams.tokens[1],
52        _extraData.isStablePool,
53        removeLiquidityParams.lpAmountIn,
54        removeLiquidityParams.minAmountsOut[0],
55        removeLiquidityParams.minAmountsOut[1],
56        address(this),
57        block.timestamp
58    );
59}

Recommendation:

We advise the referenced function to properly approve the relevant pair that the LP amounts are attached to toward the router, ensuring that the liquidity removal operation succeeds properly.

Alleviation (6ab7af3bb495b817ffec469255ea679b1813eecb):

The vfat team evaluated this exhibit and clarified that the approval operation is occurring within the ZapLib implementation and specifically at this point.

As such, we consider this exhibit to be invalid when considered through the ZapLib integration and thus nullified.

Prev

VelodromeGaugeRegistry.sol (VGR-M)

Next

Admin.sol (ANI-C)

On this page