user fund loss or lock in claim() of the WithdrawProxy because code uses asset's decimal instead of 1e18 for calculating transferAmount #190
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-72
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/WithdrawProxy.sol#L268-L279
Vulnerability details
Impact
Function
Claim()
in WithdrawProxy return any excess funds to the PublicVault, according to thewithdrawRatio
between withdrawing and remaining LPs. but when code tries to calculating return amount according to thewithdrawRatio
it uses asset's decimals instead of1e18
and if asset's decimals where different then the calculation would go wrong and multiple things can happen:Proof of Concept
This is part of
claim()
function in WithdrawProxy which handles transferring excess funds to PublicVault:As you can see when code tries to calculate
transferAmount
it uses10**ERC20(asset()).decimals()
as dominator butwithdrawRatio
is calculated with1e18
factor so the value oftransferAmount
would be wrong.This is where withdraw ratio is calculated in the PublicVault and
1e18
has been used:This issue can have multiple impact:
transferAmount
would be very higher thanbalance
andunchecked { balance -= transferAmount; }
would underflow and the value ofbalance
would be very high and asset transfer would fail always and code would revert. so calls toclaim()
would fail and code would never setfinalAuctionEnd = 0
and this would cause calls toPublicVault.processEpoch()
to fail and PublicVault would be in broken state forever users would lose access to their funds.transferAmount
would be very low and code would consider those funds as excess amount and withdrawal users funds would get transferred to PublicVault and withdrawal users would lose their funds.(the bug and impact is obvious so the detailed POC is not included)
Tools Used
VIM
Recommended Mitigation Steps
use
1e18
to calculatetransferAmount
The text was updated successfully, but these errors were encountered: