ERC4626 mints token amount, not number of shares #20
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate
This issue or pull request already exists
Lines of code
https://github.com/Rari-Capital/solmate/blob/main/src/mixins/ERC4626.sol#L67
Vulnerability details
Impact
If the number of assets is different from the number of shares, the user will get more or less shares than they expect.
Users don't have to be sophisticated at all, just using the contract as intended can cause users to get more or less of the shares of a vault.
Proof of Concept
Here's a proof of concept:
We would expect the following:
a. Alice now has 2/3rds of the shares (2e18)
b. Alice has to transfer 2e18 tokens
Alice correctly has to transfer 2e18 tokens. But she receives 2e18 shares instead of 1e18 shares because of the line of code here.
https://github.com/Rari-Capital/solmate/blob/main/src/mixins/ERC4626.sol#L67
Recommended Mitigation Steps
Change amount to shares on that line. Also should check other implementations to ensure this isn't exploitable in any production contracts.
The text was updated successfully, but these errors were encountered: