Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

M-1 Remaining inflation attack #448

Closed
0xdcota opened this issue Apr 14, 2023 · 0 comments · Fixed by #541
Closed

M-1 Remaining inflation attack #448

0xdcota opened this issue Apr 14, 2023 · 0 comments · Fixed by #541
Assignees
@0xdcota @pedrovalido
Labels
Bug Something isn't working Smart Contracts
Milestone
Fuji-v2 MVP

Comments

@0xdcota
Copy link
Contributor

0xdcota commented Apr 14, 2023
edited

[M-1] Fuji’s vault would remain vulnerable to an inflation attack despite the explicit measures taken

Description

There is one widely known issue regarding the front-running of the first deposit.
Fuji team is already aware of this and mentions the same on L85 of the base vault, and has added a minAmount protection against it.
However, it's not enough since one can deposit minAmount, withdraw it such that only 1 wei of assets remain in the contract, and then sandwich the first deposit.

Remediation to consider

Contract Changes:

  1. Consider defining state variables to track balances instead of .balanceOf
  2. Represent shares with more precision/decimals than assets refer openzeppelin’s discussion

Or
Consider depositing some amount into the vaults on your own when they are deployed and leave it there.
This will ensure that the total supply of shares will always remain at a certain level.

Other solutions, like minting dead shares to zero address, are suboptimal, as explained in this MixBytes Blog Post.
@0xdcota 0xdcota added Bug Something isn't working Smart Contracts labels Apr 14, 2023
@0xdcota 0xdcota added this to the Fuji-v2 MVP milestone Apr 14, 2023
@0xdcota 0xdcota changed the title Remaining inflation attack M-1 Remaining inflation attack Apr 14, 2023
@0xdcota 0xdcota self-assigned this Apr 14, 2023
@0xdcota 0xdcota mentioned this issue Apr 14, 2023
Closed
@0xdcota 0xdcota linked a pull request Apr 26, 2023 that will close this issue
Vault inflation attack #498
Closed
@0xdcota 0xdcota linked a pull request May 22, 2023 that will close this issue
Vault inflation attack #541
Merged
@0xdcota 0xdcota closed this as completed May 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@0xdcota 0xdcota

@pedrovalido pedrovalido

Labels
Bug Something isn't working Smart Contracts
Projects
None yet
Milestone
Fuji-v2 MVP
Development

Successfully merging a pull request may close this issue.

Vault inflation attack Fujicracy/fuji-v2
Vault inflation attack Fujicracy/fuji-v2
2 participants
@0xdcota @pedrovalido