Yield Staking Zap

[tomwade]

Story details: https://app.shortcut.com/nftx/story/529

[shortcut-integration]

This pull request has been linked to Shortcut Story #529: Yield Staking Zap.

[alexgausman]

Hey @tomwade. I'm concerned about removing require(msg.sender == nftxVaultFactory.zapContract(), "Not a zap"); from timelockMintFor on NFTXInventoryStaking.sol.

Originally we had only the require(nftxVaultFactory.excludedFromFees(msg.sender), "Not fee excluded"); check on the function, but we had begun adding more addresses to the list of fee exclusions (e.g. ScottLewis for market making, and a custom ROO community staking zap). The timelockMintFor function (on InventoryStaking) allows for xTokens to be minted without depositing vTokens, so we realized that the addresses we added to the fee exclusions were able to infinite mint xTokens without depositing vTokens, basically enabling them to rug vaults. So we added in the zapContract check as a way to ensure only the zap contract can use that function.

The timelockMintFor function on NFTXLPStaking.sol works differently because it makes sure the necessary SLP tokens are being deposited, so there is no way for any 3rd parties (who have been added to the fee exclusion list) to infinite mint xSLP tokens.

I think the benefit of the inventory staking version of timelockMintFor is that it is less gas. NFTXStakingZap handles passing in NFTs/vTokens and then just tells the NFTXInventoryStaking how many xTokens to mint. Whereas with LP staking, the NFTXStakingZap has to pass the SLP tokens to NFTXLPStaking.

I'm guessing that the best option would be for us to change NFTXInventoryStaking so that it mimics NFTXLPStaking. Then it would be possible for us to remove the require(zapContract()) check.

Next step would probably be checking with Kiwi about this.

[0xKiwi]

Removing this could allow any fee excluded address to unlimited mint any about of tokens

[tomwade]

Good point, I've added this back but altered the logic so that it looks in a mapping, rather than a single address match

[0xKiwi]

Why is this being saved, the factory stores this already no?

[tomwade]

This just creates gas savings by allowing us by bypassing subsequent calls to the factory contract and instead just looking up the internal ID -> address mapping. Isn't an astronomical saving, but does add up.

[0xKiwi]

Suggested change

	// Get our start WETH balance
	uint wethBalance = WETH.balanceOf(address(this));
	// Wrap ETH into WETH for our contract from the sender
	if (msg.value > 0) {
	WETH.deposit{value: msg.value}();
	}
	// Get our vaults base staking token. This is used to calculate the xToken
	address baseToken = _vaultAddress(vaultId);
	require(baseToken != address(0), 'Invalid vault provided');
	// Get our vaults base staking token. This is used to calculate the xToken
	address baseToken = _vaultAddress(vaultId);
	require(baseToken != address(0), 'Invalid vault provided');
	// Get our start WETH balance
	uint wethBalance = WETH.balanceOf(address(this));
	// Wrap ETH into WETH for our contract from the sender
	if (msg.value > 0) {
	WETH.deposit{value: msg.value}();
	}

Reorder for readability

[0xKiwi]

No timelock is being applied here, is that ok?

[0xKiwi]

This should probably revert so if anyone just randomly sends ETH it doesn't get stuck

[0xKiwi]

Could malicious ownership allow this zap to perform the vulnerability?

[0xKiwi]

Not sure why this is needed when you can just use the factory no?

[tomwade]

Mentioned briefly in previous comment, but it is for gas savings for repeat calls

[0xKiwi]

Do you have a rough estimate on savings?