Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

M-1 Remaining inflation attack #448

Closed
0xdcota opened this issue Apr 14, 2023 · 0 comments · Fixed by #541
Closed

M-1 Remaining inflation attack #448

0xdcota opened this issue Apr 14, 2023 · 0 comments · Fixed by #541
Assignees
Labels
Bug Something isn't working Smart Contracts
Milestone

Comments

@0xdcota
Copy link
Contributor

0xdcota commented Apr 14, 2023

[M-1] Fuji’s vault would remain vulnerable to an inflation attack despite the explicit measures taken

Description

There is one widely known issue regarding the front-running of the first deposit.
Fuji team is already aware of this and mentions the same on L85 of the base vault, and has added a minAmount protection against it.
However, it's not enough since one can deposit minAmount, withdraw it such that only 1 wei of assets remain in the contract, and then sandwich the first deposit.

Remediation to consider

Contract Changes:

  1. Consider defining state variables to track balances instead of .balanceOf
  2. Represent shares with more precision/decimals than assets refer openzeppelin’s discussion

Or
Consider depositing some amount into the vaults on your own when they are deployed and leave it there.
This will ensure that the total supply of shares will always remain at a certain level.

Other solutions, like minting dead shares to zero address, are suboptimal, as explained in this MixBytes Blog Post.

@0xdcota 0xdcota added Bug Something isn't working Smart Contracts labels Apr 14, 2023
@0xdcota 0xdcota added this to the Fuji-v2 MVP milestone Apr 14, 2023
@0xdcota 0xdcota changed the title Remaining inflation attack M-1 Remaining inflation attack Apr 14, 2023
@0xdcota 0xdcota self-assigned this Apr 14, 2023
@0xdcota 0xdcota linked a pull request Apr 26, 2023 that will close this issue
@0xdcota 0xdcota linked a pull request May 22, 2023 that will close this issue
@0xdcota 0xdcota closed this as completed May 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug Something isn't working Smart Contracts
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants