EIP4626 violated by Vault #220
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate
This issue or pull request already exists
high quality report
This report is of especially high quality
resolved
Finding has been patched by sponsor (sponsor pls link to PR containing fix)
satisfactory
satisfies C4 submission criteria; eligible for awards
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2022-09-y2k-finance/blob/bca5080635370424a9fe21fe1aded98345d1f723/src/Vault.sol#L226
https://github.com/code-423n4/2022-09-y2k-finance/blob/bca5080635370424a9fe21fe1aded98345d1f723/src/SemiFungibleVault.sol#L205
Vulnerability details
Impact & Proof Of Concept
EIP-4626 states the following:
However, this is not true for the vaults
previewWithdraw
. This function returns the amount that the user will get plus the withdrawal fees that are tranferred to the treasury.Rationale for high risk: In a previous contest, a similar issue was marked high risk with the following reasoning:
I agree with that reasoning. When other smart contracts try to integrate with these vaults (which is the motiviation for having these standards, after all), this could lead to significant problems, including a loss of funds. For instance, a third-party contract could transfer the amount that is returned by
previewWithdraw
to the user that requested the withdrawal. But because the smart contract receives less assets, this will lead to one of two situations:1.) The asset balance of the smart contract is enough to cover the withdrawal fee: In such a situation, the user would steal assets that belong to other users.
2.) The asset balance is not enough: No withdrawals are possible, the funds are stuck.
Recommended Mitigation Steps
Subtract the fees in
previewWithdraw
.The text was updated successfully, but these errors were encountered: