You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description: Description
Newer Yield Optimizers such as Aura and Convex no longer use the classic stakewithdraw functions, meaning that the code will not be compatible with them
Both of these contracts have a slightly different signature function withdraw(uint256 amount, bool claim)
Making the contracts incompatible with them
Recommendation
Compatibility could be achieved by creating a common integration for each of the protocols, such as writing a contract that tracks individual deposits and withdrawals and then performs the deposits into the proper targets. Those will require another audit as the code is not clear, and there are many ways to lose funds if any of the operation reverts
The text was updated successfully, but these errors were encountered:
Thanks for the recommendation. We are aware of the other staking contracts but have decided not to implement them yet, and will likely do another audit for them. We plan on upgrading the ExternalRewardsDistributor contract regularly to add support for other staking solutions. See the PR we made independently that adds support for the velodrome staking: VMEX-finance/vmex@ac8f025. Note that this PR is still a draft PR but it shows that we are aware of the other abis that exist for other staking contracts.
Github username: @GalloDaSballo
Submission hash (on-chain): 0x39e6bdd72c6d292861d39347759d05434e7dfa37f4bbf1c8f6089f093fe6de87
Severity: low severity
Description:
Description
Newer Yield Optimizers such as Aura and Convex no longer use the classic
stake
withdraw
functions, meaning that the code will not be compatible with themAttack Scenario
See for example:
AURA:
https://etherscan.io/address/0xddf14A569dD91AF895E3B05d6dBCBB9db1c3834C#writeContract
CVX:
https://etherscan.io/address/0x192469CadE297D6B21F418cFA8c366b63FFC9f9b#writeContract
Both of these contracts have a slightly different signature
function withdraw(uint256 amount, bool claim)
Making the contracts incompatible with them
Recommendation
Compatibility could be achieved by creating a common integration for each of the protocols, such as writing a contract that tracks individual deposits and withdrawals and then performs the deposits into the proper targets. Those will require another audit as the code is not clear, and there are many ways to lose funds if any of the operation reverts
The text was updated successfully, but these errors were encountered: