Wrong shareChange() function (vToken.sol) #26
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
Lines of code
https://github.com/code-423n4/2022-04-phuture/blob/594459d0865fb6603ba388b53f3f01648f5bb6fb/contracts/vToken.sol#L160
Vulnerability details
Impact
Users can get the wrong amount of vToken
=> Make users lose their fund
Proof of Concept
Base on the code in function
shareChange()
in vToken.solAssume that if
oldShare = totalSupply > 0
,newShares
=
(_amountInAsset * (_totalSupply - oldShares)) / (_assetBalance - availableAssets);
=
(_amountInAsset * (_totalSupply - _totalSupply)) / (_assetBalance - availableAssets);
=
0
It make no sense, because if
amountInAsset >> availableAssets
,newShares
should be bigger thanoldShares
, but in this casenewShares = 0 < oldShares
Tools Used
manual review
Recommended Mitigation Steps
Modify the line from
if (_totalSupply > 0)
toif (_totalSupply - oldShares > 0)
The text was updated successfully, but these errors were encountered: