Function mint() in ERC4626RouterBase would always revert because it uses shares instead of assets for allowance amount #168
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-488
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/AstariaXYZ/astaria-gpl/blob/4b49fe993d9b807fe68b3421ee7f2fe91267c9ef/src/ERC4626RouterBase.sol#L21
Vulnerability details
Impact
Function
ERC4626RouterBase.mint()
callsvault.mint()
and vault's mint function calculates asset's amount and transfers underlying asset from caller but functionERC4626RouterBase.mint()
uses shares amount when setting the approval for vault. This would causeERC4626RouterBase.mint()
to when assets amount is bigger than shares amount and this is common situation (assets per share increase because of the interest rate over time). users can't use AstariaRouter's mint() function which supports slippage and call to the mint() would revert most of the times.Proof of Concept
This is
mint()
code in theERC4626RouterBase
contract:As you can see in the line
ERC20(vault.asset()).safeApprove(address(vault), shares);
code uses share amount to set spending allowance for vault address in underlying asset. shares shows vault token amount and code should have usedmaxAmountIn
for setting allowance.but in fact vault's mint() function transfers asset's amount after calculating it based on specified share amount. This is
mint()
function in ERC4626Cloned contract:As you can see code transfers assets from caller after calculating it based on shares and the assets amount can be bigger than shares.
because most of the time shares amount is lower than assets amount (assets per share increase over time because of the interest rate) so this issue would cause calls to mint() function to revert. any other protocol integrating with Astaria using this function would have broken logic and also users would lose gas if they use this function. contract AstariaRouter inherits ERC4626RouterBase and uses
mint()
function so users can't callAstariaRouter.mint()
which supports slippage allowance and they have to call vault's mint() directly and they may lose funds because of the slippage.Tools Used
VIM
Recommended Mitigation Steps
use
maxAmountIn
for allowance because it's the max amount user gives allowance and vault should always use less than that amount and if vault tries to use more amount then call would revert as it should.The text was updated successfully, but these errors were encountered: