Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ERC4626RouterBase.withdraw should use a **max** shares out check #28

Open
code423n4 opened this issue Feb 20, 2022 · 3 comments
Open

ERC4626RouterBase.withdraw should use a **max** shares out check #28

code423n4 opened this issue Feb 20, 2022 · 3 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) resolved Finding has been patched by sponsor (sponsor pls link to PR containing fix)

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/fei-protocol/ERC4626/blob/5b786fe0317f65f5b716f577c28092fa349c4903/src/ERC4626RouterBase.sol#L45

Vulnerability details

Impact

The docs/video say ERC4626RouterBase.sol is in scope as its part of TurboRouter

The ERC4626RouterBase.withdraw function withdraws the asset amount parameter by burning shares.

function withdraw(
    IERC4626 vault,
    address to,
    uint256 amount,
    uint256 minSharesOut
) public payable virtual override returns (uint256 sharesOut) {
    // @audit-info from = msg.sender
    if ((sharesOut = vault.withdraw(amount, to, msg.sender)) < minSharesOut) {
        revert MinAmountError();
    }
}

It then checks that the burned shares sharesOut are not less than a minSharesOut amount.
However, the user wants to be protected against burning too many shares for their specified amount, and therefore a maxSharesBurned amount parameter should be used.

The user can lose their entire shares due to the wrong check.

this extends to TurboRouter.withdraw

POC

User calls Router.withdraw(amount=1100, minSharesOut=1000) to protect against not burning more than 1000 shares for their 1100 asset amount.
However, there's an exploit in the vault which makes the sharesOut = 100_000, the entire user's shares.
The check then passes as it only reverts if 100_000 < 1000.

Recommended Mitigation Steps

function withdraw(
    IERC4626 vault,
    address to,
    uint256 amount,
-    uint256 minSharesOut
+    uint256 maxSharesIn
) public payable virtual override returns (uint256 sharesOut) {
-    if ((sharesOut = vault.withdraw(amount, to, msg.sender)) < minSharesOut) {
+    if ((sharesOut = vault.withdraw(amount, to, msg.sender)) > maxSharesIn) {
        revert MinAmountError();
    }
}

Also, rename the variable in TurboRouter.withdraw.
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Feb 20, 2022
code423n4 added a commit that referenced this issue Feb 20, 2022
@code423n4
cmichel issue #28
be53c55
@Joeysantoro Joeysantoro added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Feb 24, 2022
@Joeysantoro
Copy link
Collaborator

This should be a medium severity issue. The function logic is correct, its just not a useful check in its current state.

This was referenced Feb 25, 2022
Closed
Merged
@Joeysantoro
Copy link
Collaborator

ERC4626-Alliance/ERC4626-Contracts#9

@Joeysantoro Joeysantoro added the resolved Finding has been patched by sponsor (sponsor pls link to PR containing fix) label Feb 26, 2022
@GalloDaSballo
Copy link
Collaborator

I agree with both sides, ultimately the check doesn't provide protection against loss of value, as such medium severity is appropriate.

The sponsor has mitigated in a subsequent PR

@GalloDaSballo GalloDaSballo added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels Mar 19, 2022
@GalloDaSballo GalloDaSballo reopened this Mar 19, 2022
@GalloDaSballo GalloDaSballo mentioned this issue Mar 19, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) resolved Finding has been patched by sponsor (sponsor pls link to PR containing fix)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@GalloDaSballo @Joeysantoro @code423n4