earn results in decreasing share price #9
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Warden finding
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Handle
jonah1005
Vulnerability details
Impact
For a dai vault that pairs with NativeStrategyCurve3Crv, every time
earn()
is called, shareholders would lose money. (about 2%)There're two issues involved. The Vault contract and the controller contract doesn't handle the price difference between the want token and other tokens.
Vault.sol#L293 When a vault calculates its value, it sums up all tokens balance. Controller.sol#L410-L436 However, when the controller calculates vaults' value, it only adds the amount of
strategy.want
it received. (in this case, it's t3crv).Under the current design, users who deposit dai to the vault would not get yield. Instead, they would keep losing money. I consider this a high-risk issue
Proof of Concept
I trigger the bug with the following web3.py script:
Tools Used
Hardhat
Recommended Mitigation Steps
The protocol should decide what the balance sheet in each contract stands for and make it consistent in all cases. Take, for example, if
_vaultDetails[_vault].balance;
stands for the amount of 'want' token the vault owns, there shouldn't exist two different want in all the strategies the vault has. Also, when the vault queries controllersfunction balanceOf()
, they should always multiply it by the price.The text was updated successfully, but these errors were encountered: