Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EIP4626 violated by Vault #220

Closed
code423n4 opened this issue Sep 18, 2022 · 2 comments
Closed

EIP4626 violated by Vault #220

code423n4 opened this issue Sep 18, 2022 · 2 comments
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate This issue or pull request already exists high quality report This report is of especially high quality resolved Finding has been patched by sponsor (sponsor pls link to PR containing fix) satisfactory satisfies C4 submission criteria; eligible for awards sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-09-y2k-finance/blob/bca5080635370424a9fe21fe1aded98345d1f723/src/Vault.sol#L226
https://github.com/code-423n4/2022-09-y2k-finance/blob/bca5080635370424a9fe21fe1aded98345d1f723/src/SemiFungibleVault.sol#L205

Vulnerability details

Impact & Proof Of Concept

EIP-4626 states the following:

The convertTo functions serve as rough estimates that do not account for operation specific details like withdrawal fees, etc. They were included for frontends and applications that need an average value of shares or assets, not an exact value possibly including slippage or other fees. For applications that need an exact value that attempts to account for fees and slippage we have included a corresponding preview function to match each mutable function. These functions must not account for deposit or withdrawal limits, to ensure they are easily composable, the max functions are provided for that purpose.

However, this is not true for the vaults previewWithdraw. This function returns the amount that the user will get plus the withdrawal fees that are tranferred to the treasury.

Rationale for high risk: In a previous contest, a similar issue was marked high risk with the following reasoning:

EIP4626 is aimed to create a consistent and robust implementation patterns for Tokenized Vaults. A slight deviation from 4626 would broke composability and potentially lead to loss of fund (POC in code-423n4/2022-06-notional-coop-findings#88 can be an example). It is counterproductive to implement EIP4626 but does not conform to it fully.

I agree with that reasoning. When other smart contracts try to integrate with these vaults (which is the motiviation for having these standards, after all), this could lead to significant problems, including a loss of funds. For instance, a third-party contract could transfer the amount that is returned by previewWithdraw to the user that requested the withdrawal. But because the smart contract receives less assets, this will lead to one of two situations:
1.) The asset balance of the smart contract is enough to cover the withdrawal fee: In such a situation, the user would steal assets that belong to other users.
2.) The asset balance is not enough: No withdrawals are possible, the funds are stuck.

Recommended Mitigation Steps

Subtract the fees in previewWithdraw.
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Sep 18, 2022
code423n4 added a commit that referenced this issue Sep 18, 2022
@code423n4
Lambda issue #220
da2b140
@MiguelBits MiguelBits mentioned this issue Sep 21, 2022
Closed
@3xHarry
Copy link
Collaborator

3xHarry commented Sep 22, 2022

@MiguelBits i agree with this

@MiguelBits MiguelBits added high quality report This report is of especially high quality resolved Finding has been patched by sponsor (sponsor pls link to PR containing fix) sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") labels Sep 23, 2022
@HickupHH3
Copy link
Collaborator

dup of #47

@HickupHH3 HickupHH3 added the satisfactory satisfies C4 submission criteria; eligible for awards label Oct 17, 2022
@JeeberC4 JeeberC4 added the duplicate This issue or pull request already exists label Nov 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate This issue or pull request already exists high quality report This report is of especially high quality resolved Finding has been patched by sponsor (sponsor pls link to PR containing fix) satisfactory satisfies C4 submission criteria; eligible for awards sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@MiguelBits @code423n4 @HickupHH3 @liveactionllama @JeeberC4 @3xHarry