Omniscia Tokemak Audit

CurveControllerTemplate Manual Review Findings

CCT-01M: Weak Validation of Balance Increases

Type	Severity	Location
Logical Fault		CurveControllerTemplate.sol:L143, L176

Description:

The linked code attempts to ascertain proper withdrawal integration with Curve but does so by simply validating that the balance of the contract increased and does not actually validate the increase amount.

Example:

contracts/controllers/CurveControllerTemplate.sol

173function _compareCoinsBalances(uint256[N_COINS] memory balancesBefore, uint256[N_COINS] memory balancesAfter, uint256[N_COINS] memory amounts) internal {
174    for (uint256 i = 0; i < N_COINS; i++) {
175        if (amounts[i] > 0) {
176            require(balancesBefore[i] < balancesAfter[i], "BALANCE_MUST_INCREASE");
177        }
178    }
179}

Recommendation:

We advise the validations to be performed more stringently by ensuring that the delta is at least the minimum amount specified in the withdrawal operation.

Alleviation:

The balance change is now properly validated as a minimum delta rather than a simple increase of balance.

Omniscia Tokemak Audit

CurveControllerTemplate Manual Review Findings

CurveControllerTemplate Manual Review Findings

CCT-01M: Weak Validation of Balance Increases

Description:

Example:

Recommendation:

Alleviation:

ConvexController.sol (CCR-M)

BaseController.sol (BCR-C)

On this page