SemiFungibleVault's previewDeposit/previewMint implementation is not ERC-4626 compliant #43
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate
This issue or pull request already exists
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Lines of code
https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/SemiFungibleVault.sol#L175-L182
https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/SemiFungibleVault.sol#L189-L197
Vulnerability details
Impact
ERC-4626 defines the
previewDeposit()
andpreviewMint()
functions with the intention of being used as a way to "simulate" a deposit. Thus, thepreviewDeposit()
andpreviewMint()
functions should revert when passed a set of parameters that would causedeposit()
to revert.SemiFungibleVault's previewDeposit and previewMint functions are borrowed from the Solmate reference implementation and fail to detect conditions that cause
deposit()
to revert, making the contract non-ERC-4626 compliant.Proof of Concept
previewDeposit()
implementationpreviewMint()
implementationpreviewDeposit()
andpreviewMint()
fail to revert under the following conditions:Tools Used
Manual Review
Recommended Mitigation Steps
The
previewDeposit()
andpreviewMint()
functions should be modified so they revert whenever thedeposit()
function would revert.The text was updated successfully, but these errors were encountered: