Attacker can DoS deposits to a new Vault #43
Description
Lines of code
https://github.com/code-423n4/2024-05-bakerfi/blob/main/contracts/core/Vault.sol#L204-L209
Vulnerability details
Impact
Attackers can DoS deposits on New Vaults, rendering the vault completely unusable.
Proof of Concept
When doing a deposit on a Vault, there are some checks that analyze the state of the Rebase values. Deposits are allowed only when (total.elastic == 0 && total.base == 0) || (total.base > 0 && total.elastic > 0), any other combination of those two values will cause the deposit to revert.
function deposit(
address receiver
)
...
{
...
Rebase memory total = Rebase(_totalAssets(maxPriceAge), totalSupply());
if (
// Or the Rebase is unititialized
!((total.elastic == 0 && total.base == 0) ||
// Or Both are positive
(total.base > 0 && total.elastic > 0))
) revert InvalidAssetsState();
...
}
The total.elastic represents the assets controlled by the Vault in the associated Strategy.
- The assets controlled by the Vault is the difference between the value in ETH of the aCollateralTokens owned by the Strategy and the total WETH debt of the Strategy.
The total.base represents all the vault shares that have been minted (totalSupply())
An attacker can donate (do a direct transfer) 1 wei of the aCollateralToken to the Strategy. This will make the total.elastic to be equals to 1 wei, while the total.base is 0 because any deposits on the Vault have been made.
total.elastic > 0 && total.base == 0is a combination of values that will cause a deposit to revert with the errorInvalidAssetsState
Tools Used
Manual Audit
Recommended Mitigation Steps
Remove those if conditionals from the deposit(). Design a different mechanism to validate the state of the Rebase that can't be affected by direct donations of aCollateralTokens
Assessed type
Context