minDepositAmount should apply to asset and not share #351
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-486
edited-by-warden
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/AstariaXYZ/astaria-gpl/blob/4b49fe993d9b807fe68b3421ee7f2fe91267c9ef/src/ERC4626-Cloned.sol#L27
Vulnerability details
Impact
As asset and share are different things, the user may deposit the ASSET amount which is <= minDepositAmount IF ITS SHARE is > minDepositAmount.
Proof of Concept
See ERC4626-Cloned.sol
In the deposit function above, the system checks if shares <= minDepositAmount(), if yes, revert the deposit
The system tries to compare shares against assets (Deposit amount). Assets and shares are related but they are completely different things. For example,
In a new empty vault, user A and user B make deposits
User A has 10 assets which are 10 shares
User B has 20 assets which are 20 shares
Here, the assets and shares are the same.
However, if the system withdraws 6 assets from the vault for some purpose
Total tokens = 24,
Total shares = 30,
In this case, the assets and shares are not the same
User A has 10 shares (which is 10 / 30 * 24 = 8 assets)
User B has 20 shares (which is 20 / 30 * 24 = 16 assets)
Let say,
If user C deposits 24 assets, he will get 30 shares [24 / (24 + 8 + 16) * (10 + 20 + 30)]
With the current code,
If minDepositAmount() = 25, his deposit will pass because 30 > 25. This is wrong because the deposit should fail as 24 < 25. We should verify by assets (NOT shares)
Tools Used
Manual
Recommended Mitigation Steps
Change the following code
The text was updated successfully, but these errors were encountered: