Skip to content

deposit() afterDeposit calculation formula is incorrect. #29

New issue
New issue
Open
Open
deposit() afterDeposit calculation formula is incorrect.#29
Labels
2 (Med Risk)Assets not at direct risk, but function/availability of the protocol could be impacted or leak value🤖_08_groupAI based duplicate group recommendationM-04bugSomething isn't workingprimary issueHighest quality submission among a set of duplicatesselected for reportThis submission will be included/highlighted in the audit reportsponsor confirmedSponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
@c4-bot-10

Description

@c4-bot-10
c4-bot-10
opened on May 30, 2024

Lines of code

https://github.com/code-423n4/2024-05-bakerfi/blob/59b1f70cbf170871f9604e73e7fe70b70981ab43/contracts/core/Vault.sol#L214

Vulnerability details

Vulnerability details

in Vault.deposit()
We will limit the user's maximum deposit cannot exceed settings().getMaxDepositInETH().

    function deposit(
        address receiver
    )
        external
        payable
        override
        nonReentrant
        whenNotPaused
        onlyWhiteListed
        returns (uint256 shares)
    {
        if (msg.value == 0) revert InvalidDepositAmount();
        uint256 maxPriceAge = settings().getPriceMaxAge();
        Rebase memory total = Rebase(_totalAssets(maxPriceAge), totalSupply());
        if (
            // Or the Rebase is unititialized
            !((total.elastic == 0 && total.base == 0) ||
                // Or Both are positive
                (total.base > 0 && total.elastic > 0))
        ) revert InvalidAssetsState();
        // Verify if the Deposit Value exceeds the maximum per wallet
        uint256 maxDeposit = settings().getMaxDepositInETH();
        if (maxDeposit > 0) {
            uint256 afterDeposit = msg.value +
@>              ((balanceOf(msg.sender) * _tokenPerETH(maxPriceAge)) / 1e18);
            if (afterDeposit > maxDeposit) revert MaxDepositReached();
        }

....


    function _tokenPerETH(uint256 priceMaxAge) internal view returns (uint256) {
        uint256 position = _totalAssets(priceMaxAge);
        if (totalSupply() == 0 || position == 0) {
            return 1 ether;
        }
@>      return (totalSupply() * 1 ether) / position;
    }

The code above uses (balanceOf(msg.sender) * _tokenPerETH(maxPriceAge) / 1e18 to calculate the current ETH deposit.
Based on the definition of the _tokenPerETH() method, this formula is incorrect.
It should be balanceOf(msg.sender) * 1e18 / _tokenPerETH(maxPriceAge).

Impact

An incorrect calculation formula can result in exceeding getMaxDepositInETH or prematurely triggering a MaxDepositReached revert.
users may not be able to deposit properly.

Recommended Mitigation

    function deposit(
        address receiver
    )
...
        // Verify if the Deposit Value exceeds the maximum per wallet
        uint256 maxDeposit = settings().getMaxDepositInETH();
        if (maxDeposit > 0) {
            uint256 afterDeposit = msg.value +
-               ((balanceOf(msg.sender) * _tokenPerETH(maxPriceAge)) / 1e18);
+               ((balanceOf(msg.sender) * 1e18) / _tokenPerETH(maxPriceAge));
            if (afterDeposit > maxDeposit) revert MaxDepositReached();
        }

Assessed type

Context

Metadata

Metadata

Assignees

No one assigned

    Labels

    2 (Med Risk)Assets not at direct risk, but function/availability of the protocol could be impacted or leak value🤖_08_groupAI based duplicate group recommendationM-04bugSomething isn't workingprimary issueHighest quality submission among a set of duplicatesselected for reportThis submission will be included/highlighted in the audit reportsponsor confirmedSponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions