This repository has been archived by the owner on Mar 3, 2024. It is now read-only.
Flora - LMPVault._withdraw()
can revert due to an arithmetic underflow
#519
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
Medium
A valid Medium severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Flora
high
LMPVault._withdraw()
can revert due to an arithmetic underflowSummary
LMPVault._withdraw()
can revert due to an arithmetic underflow.Vulnerability Detail
Inside the
_withdraw()
function, themaxAssetsToPull
argument value of_calcUserWithdrawSharesToBurn()
is calculated to be equal toinfo.totalAssetsToPull - Math.max(info.debtDecrease, info.totalAssetsPulled)
.However, the
_withdraw()
function only halts its loop wheninfo.totalAssetsPulled >= info.totalAssetsToPull
.This can lead to a situation where
info.debtDecrease >= info.totalAssetsToPull
. Consequently, when calculatinginfo.totalAssetsToPull - Math.max(info.debtDecrease, info.totalAssetsPulled)
for the next destination vault in the loop, an underflow occurs and triggers a contract revert.To illustrate this vulnerability, consider the following scenario:
Impact
The vulnerability can result in the contract reverting due to an underflow, disrupting the functionality of the contract.
Users who try to withdraw assets from the LMPVault may encounter transaction failures and be unable to withdraw their assets.
Code Snippet
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVault.sol#L475
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVault.sol#L493-L504
Tool used
Manual Review
Recommendation
To mitigate this vulnerability, it is recommended to break the loop within the
_withdraw()
function ifMath.max(info.debtDecrease, info.totalAssetsPulled) >= info.totalAssetsToPull
The text was updated successfully, but these errors were encountered: