Calculation of CollateralTracker.maxMint
function is faulty
#358
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-501
grade-b
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
🤖_61_group
AI based duplicate group recommendation
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2024-04-panoptic/blob/58dda1b3b74e48f4d924731ec5da14096043fde0/contracts/CollateralTracker.sol#L444-L448
https://github.com/code-423n4/2024-04-panoptic/blob/58dda1b3b74e48f4d924731ec5da14096043fde0/contracts/CollateralTracker.sol#L379-L381
https://github.com/code-423n4/2024-04-panoptic/blob/58dda1b3b74e48f4d924731ec5da14096043fde0/contracts/CollateralTracker.sol#L453-L468
https://github.com/code-423n4/2024-04-panoptic/blob/58dda1b3b74e48f4d924731ec5da14096043fde0/contracts/CollateralTracker.sol#L477-L500
Vulnerability details
Impact
The following
maxMint
function returnsmaxShares
that is(convertToShares(type(uint104).max) * DECIMALS) / (DECIMALS + COMMISSION_FEE)
, which can be rewritten as(type(uint104).max * totalSupply / totalAssets()) * DECIMALS / (DECIMALS + COMMISSION_FEE)
.https://github.com/code-423n4/2024-04-panoptic/blob/58dda1b3b74e48f4d924731ec5da14096043fde0/contracts/CollateralTracker.sol#L444-L448
https://github.com/code-423n4/2024-04-panoptic/blob/58dda1b3b74e48f4d924731ec5da14096043fde0/contracts/CollateralTracker.sol#L379-L381
Calling the following
previewMint
function with themaxShares
returned by themaxMint
function as theshares
input would return anassets
that is((type(uint104).max * totalSupply / totalAssets()) * DECIMALS / (DECIMALS + COMMISSION_FEE)) * DECIMALS * totalAssets() / (totalSupply * (DECIMALS - COMMISSION_FEE))
, which can be simplified totype(uint104).max * (DECIMALS**2) / (DECIMALS**2 - COMMISSION_FEE**2)
. Since(DECIMALS**2) / (DECIMALS**2 - COMMISSION_FEE**2)
is bigger than 1 for a reasonableCOMMISSION_FEE
,type(uint104).max * (DECIMALS**2) / (DECIMALS**2 - COMMISSION_FEE**2)
would be larger thantype(uint104).max
. This means that suchassets
, which corresponds to themaxShares
returned by themaxMint
function, is larger thantype(uint104).max
that is the deposit limit of the underlying asset; this shows that the calculation of themaxMint
function is faulty.https://github.com/code-423n4/2024-04-panoptic/blob/58dda1b3b74e48f4d924731ec5da14096043fde0/contracts/CollateralTracker.sol#L453-L468
Because of the faulty calculation of the
maxMint
function, calling the followingmint
function with themaxShares
returned by themaxMint
function as theshares
input will revert with theDepositTooLarge
error.https://github.com/code-423n4/2024-04-panoptic/blob/58dda1b3b74e48f4d924731ec5da14096043fde0/contracts/CollateralTracker.sol#L477-L500
According to https://eips.ethereum.org/EIPS/eip-4626, the EIP-4626 standard requires the
maxMint
function to returnMaximum amount of shares that can be minted from the Vault for the ``receiver``, through a ``mint`` call
andMUST return the maximum amount of shares ``mint`` would allow to be deposited to ``receiver`` and not cause a revert
. However, calling themint
function with themaxShares
returned by themaxMint
function as theshares
input reverts while such operation should not revert. As a result, the faulty calculation of themaxMint
function violates the EIP-4626 standard.Proof of Concept
Please add the following test in
test\foundry\core\CollateralTracker.t.sol
. This test will pass to demonstrate the described scenario.Tools Used
Manual Review
Recommended Mitigation Steps
The
maxMint
function can be updated to the following code.Assessed type
ERC4626
The text was updated successfully, but these errors were encountered: