Description

The strategy contract's _removeLiquidity function calls the Uniswap pool's burn function first to burn liquidity, followed by collect to collect any tokens owed by the pool to the strategy. This will also pay out any owed fees. For this reason, calls to _removeLiquidity are usually preceded by a call to _claimEarnings, which will use collect to collect any outstanding fees earned on Uniswap and account for them properly, so that, for example, any Beefy fees on them can be deducted correctly.

The functions setPositionWidth and panic, however, call _removeLiquidity without a preceding call to _claimEarnings, which will thus in effect donate any outstanding fees on the Uniswap pool to the vault's shareholders without deducing any fees. These two functions can though only be called by the owner and manager, respectively.

Impact

During some rare administrative tasks, fees might not be deduced from Uniswap fees earned.

Recommendations

Consider calling _claimEarnings before _removeLiquidity in the two mentioned functions. Alternatively, document this behavior and consider calling harvest before calls to the two functions to ensure fees have been accounted for.

Remediation

This issue has been acknowledged by Beefy, and a fix was implemented in commit 2c2db9ae↗.