Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

maxDeposit() uses yieldVault.maxDeposit() but _depositAndMint() uses yieldVault.mint() #335

Open
c4-bot-10 opened this issue Mar 11, 2024 · 17 comments
Open

maxDeposit() uses yieldVault.maxDeposit() but _depositAndMint() uses yieldVault.mint() #335

c4-bot-10 opened this issue Mar 11, 2024 · 17 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working insufficient quality report This report is not of sufficient quality M-03 primary issue Highest quality submission among a set of duplicates 🤖_66_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons

Comments

@c4-bot-10
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2024-03-pooltogether/blob/480d58b9e8611c13587f28811864aea138a0021a/pt-v5-vault/src/PrizeVault.sol#L383

Vulnerability details

Impact

maxDeposit() might return a value greater than can be deposited, violating EIP-4626.

Proof of Concept

maxDeposit() returns up to yieldVault.maxDeposit(address(this)). However, _depositAndMint() deposits using yieldVault.mint() which may have a stricter limit than yieldVault.deposit(). In that case depositing maxDeposit() would revert, which violates EIP-4626.

Recommended Mitigation Steps

Use yieldVault.previewRedeem(yieldVault.maxMint()).

Assessed type

ERC4626
@c4-bot-10 c4-bot-10 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Mar 11, 2024
c4-bot-10 added a commit that referenced this issue Mar 11, 2024
@c4-bot-10
d3e4 issue #335
6413efd
@c4-bot-12 c4-bot-12 added the 🤖_66_group AI based duplicate group recommendation label Mar 11, 2024
@c4-pre-sort
Copy link

raymondfam marked the issue as insufficient quality report

@c4-pre-sort c4-pre-sort added the insufficient quality report This report is not of sufficient quality label Mar 12, 2024
@c4-pre-sort
Copy link

raymondfam marked the issue as primary issue

@c4-pre-sort c4-pre-sort added the primary issue Highest quality submission among a set of duplicates label Mar 12, 2024
@raymondfam
Copy link

maxDeposit() (same as maxMint()) is to check the maximum withdrawable for each account where yieldVault.mint would simply revert if the cap has not been conformed to.

@c4-judge c4-judge added the unsatisfactory does not satisfy C4 submission criteria; not eligible for awards label Mar 18, 2024
@c4-judge
Copy link
Contributor

hansfriese marked the issue as unsatisfactory:
Invalid

@c4-judge c4-judge reopened this Mar 18, 2024
@c4-judge c4-judge added satisfactory satisfies C4 submission criteria; eligible for awards and removed unsatisfactory does not satisfy C4 submission criteria; not eligible for awards labels Mar 18, 2024
@c4-judge
Copy link
Contributor

hansfriese marked the issue as satisfactory

@hansfriese
Copy link

It's a valid concern and QA is more appropriate due to the low impact.

@c4-judge
Copy link
Contributor

hansfriese changed the severity to QA (Quality Assurance)

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Mar 18, 2024
@hansfriese
Copy link

I will mark as grade-a with some unique issues.

@c4-judge
Copy link
Contributor

hansfriese marked the issue as grade-a

@d3e4
Copy link

d3e4 commented Mar 19, 2024

Isn't a violation of EIP-4626, for a vault that claims to be compliant, at least a Medium severity because of the integration issues it implies?

Note that being EIP-4626 compliant is explicitly stated in the README and that adherence to this was listed as one of the Attack ideas.

This comment also applies to #336.

Here are a few previous examples awarded High or Medium:
code-423n4/2022-09-y2k-finance-findings#47
code-423n4/2023-05-maia-findings#585
code-423n4/2023-02-ethos-findings#247
code-423n4/2022-06-notional-coop-findings#155

@d3e4 d3e4 mentioned this issue Mar 19, 2024
Open
@hansfriese
Copy link

After checking again, I agree Medium is more appropriate as it may violate ERC4626 compliance.

@c4-judge c4-judge removed grade-a satisfactory satisfies C4 submission criteria; eligible for awards labels Mar 21, 2024
@c4-judge
Copy link
Contributor

hansfriese removed the grade

@c4-judge
Copy link
Contributor

This previously downgraded issue has been upgraded by hansfriese

@c4-judge c4-judge added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value and removed downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels Mar 21, 2024
@c4-judge
Copy link
Contributor

hansfriese marked the issue as satisfactory

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Mar 21, 2024
@c4-judge
Copy link
Contributor

hansfriese marked the issue as selected for report

@c4-judge c4-judge added the selected for report This submission will be included/highlighted in the audit report label Mar 21, 2024
@C4-Staff C4-Staff added the M-03 label Mar 21, 2024
@trmid
Copy link

trmid commented Mar 25, 2024

After further evaluation, the suggested mitigation seems to cause issues in common ERC4626 yield vaults since maxMint commonly returns type(uint256).max and calling previewRedeem or previewMint with such a high value also commonly causes an overflow error on conversion.

As long as the yield vault maxDeposit function takes into account any internal supply limits, the current implementation is unlikely to have any compatibility issues and will be left as-is.

@c4-sponsor c4-sponsor added the sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons label Mar 26, 2024
@c4-sponsor
Copy link

trmid (sponsor) acknowledged

@InfectedIsm InfectedIsm mentioned this issue Jun 24, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working insufficient quality report This report is not of sufficient quality M-03 primary issue Highest quality submission among a set of duplicates 🤖_66_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@trmid @hansfriese @raymondfam @c4-judge @c4-sponsor @c4-pre-sort @d3e4 @C4-Staff @c4-bot-10 @c4-bot-12