#42033 [SC-Insight] MoneyBrinter contract does not consider farm's pausing status
Submitted on Mar 20th 2025 at 07:26:30 UTC by @trtrth for Audit Comp | Yeet
Report ID: #42033
Report Type: Smart Contract
Report severity: Insight
Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/contracts/MoneyBrinter.sol
Impacts:
Description
Brief/Intro
The contract MoneyBrinter
does not consider Kodiak farm's pausing status for staking and withdrawals. This can cause MoneyBrinter
to be incompliant with ERC-4626
Vulnerability Details
Both function depositFor()
and withdrawTo()
from Beradrome farm plugin contract handle withdraw locked all from Kodiak farm and continue to stake all into the farm. Here depositFor()
is called by MoneyBrinter::deposit()
and MoneyBrinter::mint(). The function
withdrawTo()is called by
MoneyBrinter::withdraw()and
MoneyBrinter::redeem(). So all the core functions of
MoneyBrinter` contract go through the steps Farm::withdrawLockedAll() -> Farm::stakeLocked().
On the other side, the farm contract has pausing feature for the staking and withdrawals. So in case only one of these two is paused, then the core functions of MoneyBrinter
contract does not work and all funds can be temporarily locked in farm contract
Impact Details
ERC-4626 incompliant
Contract's core functions can be unable to operate
References
Farm contract: https://bartio.beratrail.io/token/0xbdEE3F788a5efDdA1FcFe6bfe7DbbDa5690179e6/contract/code
Beradrome plugin contract: https://bartio.beratrail.io/token/0x80D7759Fa55f6a1F661D5FCBB3bC5164Dc63eb4D/contract/code
Proof of Concept
Proof of Concept
Modify the test
test_Valid_Deposit_Into_Beradrome
in test filetest/vault/Vault_IntegrationTest_ZeroFee.t.sol
Run the test by command
forge t --mt test_Valid_Deposit_Into_Beradrome -vv
and the console shows
It means that the maxDeposit()
returns wrong value, and it is also impossible to deposit into the vault even when Kodiak farm only pauses withdrawals
Was this helpful?