-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deposit transfers shares not assets #471
Comments
@MiguelBits this seems valid, users should transfer as much as they specified in WETH and the contract should mint the calculated shares? |
however this will not cause any harm and no funds will be lost as, |
Honestly, the severity rating depends on which statement is true:
Looking at the code, it seems like the latter is true. shares
= previewDeposit(id, assets)
= convertToShares(id, assets)
= totalSupply(id) == 0 ? assets : assets.mulDivDown(totalSupply(id), totalAssets(id));
// for the latter case
= assets.mulDivDown(totalAssets(id), totalAssets(id))
= assets Hence, I agree that the severity should be downgraded to QA. |
part of warden's QA: #486 |
Lines of code
https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Vault.sol#L167
Vulnerability details
Impact
When depositing to the Vault, it transfers the wrong amount of tokens from the user. Deposit mistakenly transfers calculated
shares
, notassets
:Users will actually deposit less than intended this way because as far as I understand shares are supposed to include accrued interest.
It overrides the deposit function from
SemiFungibleVault
, there it works as expected:Recommended Mitigation Steps
It should transfer from the user
assets
, notshares
.The text was updated successfully, but these errors were encountered: