New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
User can lose 10 ethers to Vault #557
Comments
Picodes marked the issue as duplicate of #588 |
Giving duplicate with partial credit as this report misses the main impact of the finding which is the possibility for the first user to trick the next ones |
Picodes marked the issue as partial-50 |
Hi @Picodes I trust this to be an oversight, please note that this is not the same issue you are mentioning (and indeed I have another issue open for the same you're mentioning) and it would still be present after the fix to #588. This one is about the risk of calling mint passing 0 for shares argument. In this case, the message sender will lose 10 ethers and receive nothing in exchange therefore having no way to redeem or withdraw. The original ERC4626 code emits "x" shares if supply is 0, where "x" is the same argument passed to the mint function, so in the original code there is no risk of passing 0 because it has no effects, but in this case it does have an effect and therefore the mint should be protected, which is not. Please check carefully the included test and the test outputs. |
Hi @eierina, indeed I missed that you had another issue opened. In this case, I'll treat both reports separately. This report successfully notices that there is an issue with |
Also, please note that you shouldn't comment on your own findings until |
Picodes marked the issue as satisfactory |
Lines of code
https://github.com/AstariaXYZ/astaria-gpl/blob/f430f5b8fe868d4883a8249555df76ee7752587a/src/ERC4626-Cloned.sol#L38-L52
Vulnerability details
Impact
If a user or a contract that has a large allowance (10 ethers or max) on an ERC4626Cloned based Vault that has not yet received any deposits, calls mint with 0 share argument, will have a 10 ethers of the asset transferred to the Vault with no way to reclaim it because he/it will receive no shares.
NOTE: Raising this issue as high risk conforming to judging criteria '3 — High: Assets can be stolen/*lost*/compromised directly'. No complains if judge feels that the necessary pre-conditions makes it a '2 — Med'.
Proof of Concept
Test results:
Tools Used
n/a
Recommended Mitigation Steps
Since the previewMint does not use the original supply == 0 ? shares : ..., at least add a require precondition to the mint function to prevent minting of 0 shares.
The text was updated successfully, but these errors were encountered: