Report for issue #171 updated by 0xmystery

code-423n4 · Dec 8, 2023 · 3c06e62 · 3c06e62
1 parent 62dde5b
commit 3c06e62
Showing 1 changed file with 25 additions and 1 deletion.
diff --git a/data/0xmystery-Q.md b/data/0xmystery-Q.md
@@ -278,12 +278,36 @@ https://github.com/code-423n4/2023-11-shellprotocol/blob/main/src/adapters/Curve
 I recommend having a function the owner can make withdraws on the stuck excess funds when needed.
 
 ## [L-11] Risk assessment and mitigation strategies for WBTC depeg
-The potential depegging of WBTC (Wrapped Bitcoin) from Bitcoin poses a risk in the DeFi ecosystem, as evidenced by past instances like the November 2021 event linked to the FTX collapse, with its price deviating from its native asset, Bitcoin. This was primarily attributed to the activities and financial troubles of significant holders like Alameda Research, and other related factors contributing to market uncertainty and fear. During this period, market data indicated an 8.82% decrease in WBTC supply and a trading discount of 1.3% compared to Bitcoin. Such events raise concerns about the stability of wrapped assets and their reliance on the credibility of issuers like BitGo 
+According to the contract NatSpec of CurveTricryptoAdapter.sol, the Curve tricrypto adapter has WBTC in the trio pool:
+
+https://github.com/code-423n4/2023-11-shellprotocol/blob/main/src/adapters/CurveTricryptoAdapter.sol#L21-L24
+
+```solidity
+/**
+ * @notice
+ *   curve tricrypto adapter contract enabling swapping, adding liquidity & removing liquidity for the curve usdt-wbtc-eth pool
+ */
+```
+It's noteworthy that the potential depegging of WBTC (Wrapped Bitcoin) from Bitcoin poses a risk in the DeFi ecosystem, as evidenced by past instances like the November 2021 event linked to the FTX collapse, with its price deviating from its native asset, Bitcoin. This was primarily attributed to the activities and financial troubles of significant holders like Alameda Research, and other related factors contributing to market uncertainty and fear. During this period, market data indicated an 8.82% decrease in WBTC supply and a trading discount of 1.3% compared to Bitcoin. Such events raise concerns about the stability of wrapped assets and their reliance on the credibility of issuers like BitGo 
 
 ["Analyzing the WBTC FUD after the FTX collapse and its depeg"](https://cryptonews.net/news/bitcoin/17498467/)
 
 To mitigate this, it's recommended to regularly refactor and audit smart contract code, implement dynamic slippage adjustments, improve oracles for accurate price feeds, monitor liquidity pool health, develop circuit breakers and emergency protocols, educate the community about risks, encourage diversification in portfolios, and enhance governance mechanisms in DeFi platforms. These steps are crucial for managing risks associated with the depegging of wrapped assets like WBTC and maintaining stability in the DeFi market.
 
+## [L-12] Unrestricted asset approval
+`Curve2PoolAdapter._approveToken()` and `CurveTricryptoAdapter._approveToken()` use `type(uint256).max` to set the maximum possible allowance for ERC-20 token transfers, a common practice in Ethereum smart contracts. 
+
+https://github.com/code-423n4/2023-11-shellprotocol/blob/main/src/adapters/Curve2PoolAdapter.sol#L189-L192
+https://github.com/code-423n4/2023-11-shellprotocol/blob/main/src/adapters/CurveTricryptoAdapter.sol#L241-L244
+
+```solidity
+    function _approveToken(address tokenAddress) private {
+        IERC20Metadata(tokenAddress).approve(ocean, type(uint256).max);
+        IERC20Metadata(tokenAddress).approve(primitive, type(uint256).max);
+    }
+```
+This approach allows another address (ocean and primitive) to spend tokens on the user's behalf without repeatedly setting allowances, enhancing convenience and gas efficiency. However, it also carries a security risk; if the contract or approved address is compromised, an attacker could potentially access the user's entire token balance. While this method is prevalent, especially in decentralized finance (DeFi) applications, for its user-friendliness and efficiency, it is important to balance these benefits against the potential security vulnerabilities it introduces.
+
 ## [NC-01] Incorrect comments
 `Ocean.forwardedDoInteraction()` is making call to `_doInteraction()` instead of `_doMultipleInteractions()`.