AutoPx*.previewWithdraw does not round up #89
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-178
partial-25
Incomplete articulation of vulnerability; eligible for partial credit only (25%)
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
Lines of code
https://github.com/code-423n4/2022-11-redactedcartel/blob/03b71a8d395c02324cb9fdaf92401357da5b19d1/src/vaults/AutoPxGmx.sol#L199-L217
Vulnerability details
Impact
When calling AutoPx*.previewWithdraw in AutoPx*.withdraw, the comment says "No need to check for rounding error, previewWithdraw rounds up".
But only PirexERC4626.previewWithdraw rounds up.
AutoPx*.previewWithdraw overrides PirexERC4626.previewWithdraw, but does not round up.
This breaks the developer's intention and does not comply with the EIP-4626 specification
Proof of Concept
https://github.com/code-423n4/2022-11-redactedcartel/blob/03b71a8d395c02324cb9fdaf92401357da5b19d1/src/vaults/AutoPxGmx.sol#L199-L217
https://github.com/code-423n4/2022-11-redactedcartel/blob/03b71a8d395c02324cb9fdaf92401357da5b19d1/src/vaults/AutoPxGlp.sol#L177-L195
https://github.com/code-423n4/2022-11-redactedcartel/blob/03b71a8d395c02324cb9fdaf92401357da5b19d1/src/vaults/PirexERC4626.sol#L99-L105
https://github.com/code-423n4/2022-11-redactedcartel/blob/03b71a8d395c02324cb9fdaf92401357da5b19d1/src/vaults/AutoPxGmx.sol#L315-L323
Tools Used
None
Recommended Mitigation Steps
Call PirexERC4626.previewWithdraw instead of convertToShares in AutoPx*.previewWithdraw
The text was updated successfully, but these errors were encountered: