functions withdraw() and deposit() in Vault contract use shares variable instead of assets to transfer user assets #315
Labels
bug
Something isn't working
duplicate
This issue or pull request already exists
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Lines of code
https://github.com/code-423n4/2022-09-y2k-finance/blob/2175c044af98509261e4147edeb48e1036773771/src/Vault.sol#L145-L174
https://github.com/code-423n4/2022-09-y2k-finance/blob/2175c044af98509261e4147edeb48e1036773771/src/Vault.sol#L195-L234
Vulnerability details
Impact
in functions
deposit()
andwithdraw()
ofVault
contract, user specify how much assets he want to deposit to the contract or withdraw from contract and contract calculates the corresponding share amount for that amount of assets and mint or burn those shares for user. the code ofdeposit()
andwithdraw
has been written in general way to handle general cases but code uses variableshares
instead ofassets
to transfer user assets. This is wrong for general cases and only works whenassets
equal toshares
and ratio is1 to 1
between token and shares. as everything in code is written in general manner, in this cases code shouldn't written for special cases when the ratio is 1 to 1 too.Proof of Concept
This is
deposit()
andwithdraw()
code inVault
contract:As you can see in this line
asset.transferFrom(msg.sender, address(this), shares)
indeposit()
function code usesshares
to transfer user assets and deposit them to contract andshares
is calculated based onassets
in the previous line (shares = previewDeposit(id, assets)
) and user specified amount for depositing isassets
. so as whole code is written for general cases here code assumes thatshares
equal toassets
and the logics is wrong for general case Vault.As you can see in this line
uint256 entitledShares = beforeWithdraw(id, shares)
inwithdraw()
function, code usesshares
to calculate amount of assets user is going to get,beforeWithdraw()
is accepting amount of assets user wants to withdraw but here code sendshares
to that function. this logic is incorrect for general caseVault
and only works whenshares = assets
and the ratio is1 to 1
. This isbeforeWithdraw()
code which says it requires the second parameter to be amount of assets user wants to withdraw:So as showed the logics of are wrong for general cases and all of the code is written in a manner that is could work for general cases but here the logic of using
shares
instead ofassets
is not for general cases. if code is based on the fact that asset to share ratio is1 to 1
then there was no need to callpreviewWithdraw()
orpreviewDeposit()
and most of conversation logics between shares and assets.Tools Used
VIM
Recommended Mitigation Steps
use
assets
instead ofshares
The text was updated successfully, but these errors were encountered: