Stake Contracts are not compatible with the most popular yield optimizers (CVX and AURA)

[hats-bug-reporter]

Github username: @GalloDaSballo
Submission hash (on-chain): 0x39e6bdd72c6d292861d39347759d05434e7dfa37f4bbf1c8f6089f093fe6de87
Severity: low severity

Description:
Description
Newer Yield Optimizers such as Aura and Convex no longer use the classic stake withdraw functions, meaning that the code will not be compatible with them

Attack Scenario
See for example:

AURA:
https://etherscan.io/address/0xddf14A569dD91AF895E3B05d6dBCBB9db1c3834C#writeContract

CVX:
https://etherscan.io/address/0x192469CadE297D6B21F418cFA8c366b63FFC9f9b#writeContract

Both of these contracts have a slightly different signature function withdraw(uint256 amount, bool claim)

Making the contracts incompatible with them

Recommendation
Compatibility could be achieved by creating a common integration for each of the protocols, such as writing a contract that tracks individual deposits and withdrawals and then performs the deposits into the proper targets. Those will require another audit as the code is not clear, and there are many ways to lose funds if any of the operation reverts

[ksyao2002]

Thanks for the recommendation. We are aware of the other staking contracts but have decided not to implement them yet, and will likely do another audit for them. We plan on upgrading the ExternalRewardsDistributor contract regularly to add support for other staking solutions. See the PR we made independently that adds support for the velodrome staking: VMEX-finance/vmex@ac8f025. Note that this PR is still a draft PR but it shows that we are aware of the other abis that exist for other staking contracts.

[ksyao2002]

Since we were already aware of this issue, I will mark it as invalid for now.