FIRST ERC4626 DEPOSIT CAN BE EXPLOITED ON SHARE CALCULATION #594

code423n4 · 2023-01-19T19:46:27Z

Lines of code

https://github.com/AstariaXYZ/astaria-gpl/blob/4b49fe993d9b807fe68b3421ee7f2fe91267c9ef/src/ERC4626-Cloned.sol#L107-L113

Vulnerability details

Impact

This is a common attack vector involving shares based liquidity pool contracts. An early user can manipulate the price per share and profit from late users' deposits because of the precision loss caused by the rather large value of price per share.
(Note: In the case of the protocol, the price per share relates to the amount of fund (asset) tokens per share.)

ERC4626-Cloned.sol#L107-L113

  function convertToShares(
    uint256 assets
  ) public view virtual returns (uint256) {
    uint256 supply = totalSupply(); // Saves an extra SLOAD if totalSupply is non-zero.

    return supply == 0 ? assets : assets.mulDivDown(supply, totalAssets());
  }

Proof of Concept

Here is the exploit scenario:

A malicious early user can call deposit() with 1 wei of asset token as the first depositor, and gets 1 wei of shares as is evidenced in the ternary return statement above.
Next, the attacker will send 10000e18 - 1 of asset tokens and inflate the price per share from 1.0000 to an extreme value of 1.0000e22 ( from (1 + 10000e18 - 1) / 1).
Consequently, the future user who deposits 19999e18 will only receive 1 wei (from 19999e18 * 1 / 10000e18) of shares token.
He/she will immediately lose 9999e18 or equivalently half of the deposits if redeem() is called right after deposit(), albeit to be realized in the next epoch.

Conclusion: The attacker can profit from future users' deposits whilst the late users will lose part of their funds to the attacker.

Recommended Mitigation Steps

It is recommended sending the first 1000 shares to address 0, a mitigation approach adopted by the Uniswap V2 protocol.

Additionally, the protocol should strongly advise depositors to deposit funds via AstariaRouter.sol (instead of PublicVault.sol to avoid this specific leak) that will have a slippage protection.

The text was updated successfully, but these errors were encountered:

c4-judge · 2023-01-23T16:16:30Z

Picodes marked the issue as duplicate of #509

c4-judge · 2023-01-23T16:20:41Z

Picodes marked the issue as duplicate of #588

c4-judge · 2023-02-19T16:57:57Z

Picodes marked the issue as satisfactory

c4-judge · 2023-02-19T16:58:07Z

Picodes changed the severity to 3 (High Risk)

code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jan 19, 2023

code423n4 added a commit that referenced this issue Jan 19, 2023

Josiah issue #594

36f7cd1

code423n4 added the edited-by-warden label Jan 19, 2023

c4-judge closed this as completed Jan 23, 2023

c4-judge added the duplicate-509 label Jan 23, 2023

c4-judge added duplicate-588 and removed duplicate-509 labels Jan 23, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

FIRST ERC4626 DEPOSIT CAN BE EXPLOITED ON SHARE CALCULATION #594

FIRST ERC4626 DEPOSIT CAN BE EXPLOITED ON SHARE CALCULATION #594

code423n4 commented Jan 19, 2023 •

edited

c4-judge commented Jan 23, 2023

c4-judge commented Jan 23, 2023

c4-judge commented Feb 19, 2023

c4-judge commented Feb 19, 2023

FIRST ERC4626 DEPOSIT CAN BE EXPLOITED ON SHARE CALCULATION #594

FIRST ERC4626 DEPOSIT CAN BE EXPLOITED ON SHARE CALCULATION #594

Comments

code423n4 commented Jan 19, 2023 • edited

Lines of code

Vulnerability details

Impact

Proof of Concept

Recommended Mitigation Steps

c4-judge commented Jan 23, 2023

c4-judge commented Jan 23, 2023

c4-judge commented Feb 19, 2023

c4-judge commented Feb 19, 2023

code423n4 commented Jan 19, 2023 •

edited