The TokeAutoEthStrategy::_deallocate() function calls AutopoolETH::redeem() which may fail or return insufficient funds due to slippage occurring during LP token liquidation. This can result in temporary freezing of funds until the next rebalancing period.
Vulnerability Details
The TokeAutoEthStrategy deposits WETH into the Tokemac AutopoolETH vault and stakes the received shares in a rewarder contract. During deallocation, the strategy calls autoEth.redeem() to withdraw the underlying WETH:
function_deallocate(uint256amount)internaloverridereturns(uint256){uint256 sharesNeeded = autoEth.convertToShares(amount);// ... withdraw from rewarder ... autoEth.redeem(sharesNeeded,address(this),address(this));uint256 wethRedeemed = wethBalanceAfter - wethBalanceBefore;if(wethRedeemed < amount){emitStrategyDeallocationLoss("Strategy deallocation loss.", amount, wethRedeemed);}require(TokenUtils.safeBalanceOf(address(weth),address(this))>= amount,"Strategy balance is less than the amount needed");// ...}
When users deposit into AutopoolETH, funds are allocated to different liquidity provider (LP) positions across various pools. The protocol maintains an idle amount for small redemptions, but larger redemptions require selling LP tokens to create the necessary liquidity.
During the LP token selling process within AutopoolETH::redeem(), slippage can occur due to:
Market conditions affecting LP token prices
Insufficient liquidity in the underlying pools
Large withdrawal amounts relative to idle reserves
According to the Tokemac documentation, if redemption cannot be fulfilled immediately due to insufficient idle funds, the funds may not be freed until the next rebalancing period. This can trap funds temporarily.
Impact Details
If redemption cannot be processed due to insufficient idle liquidity, strategy's funds remain locked until AutopoolETH's next rebalancing cycle.
