ERC4626RouterBase.withdraw
should use a **max** shares out check
#28
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
resolved
Finding has been patched by sponsor (sponsor pls link to PR containing fix)
Lines of code
https://github.com/fei-protocol/ERC4626/blob/5b786fe0317f65f5b716f577c28092fa349c4903/src/ERC4626RouterBase.sol#L45
Vulnerability details
Impact
The
ERC4626RouterBase.withdraw
function withdraws the assetamount
parameter by burningshares
.It then checks that the burned shares
sharesOut
are not less than aminSharesOut
amount.However, the user wants to be protected against burning too many shares for their specified
amount
, and therefore amaxSharesBurned
amount parameter should be used.The user can lose their entire shares due to the wrong check.
POC
User calls
Router.withdraw(amount=1100, minSharesOut=1000)
to protect against not burning more than1000
shares for their1100
asset amount.However, there's an exploit in the vault which makes the
sharesOut = 100_000
, the entire user's shares.The check then passes as it only reverts if
100_000 < 1000
.Recommended Mitigation Steps
Also, rename the variable in
TurboRouter.withdraw
.The text was updated successfully, but these errors were encountered: