This repository has been archived by the owner on May 26, 2024. It is now read-only.
xiaoming90 - Potential rounding errors during deposit and redemption #75
Labels
Non-Reward
This issue will not receive a payout
Sponsor Disputed
The sponsor disputed this issue's validity
xiaoming90
medium
Potential rounding errors during deposit and redemption
Summary
Due to a rounding error in Solidity, it is possible that a user deposits assets to the vault but receives no vault shares in return OR redeems vault shares but does not receive any asset in return.
Vulnerability Detail
Due to a rounding error in Solidity, it is possible that a user deposits assets to the vault but receives no value share in return due to issues in the following functions:
https://github.com/sherlock-audit/2023-10-notional/blob/main/leveraged-vaults/contracts/vaults/common/SingleSidedLPVaultBase.sol#L229
On the other hand, it is possible that the user redeems the vault share but receives no asset in return due to a rounding error.
https://github.com/sherlock-audit/2023-10-notional/blob/main/leveraged-vaults/contracts/vaults/common/SingleSidedLPVaultBase.sol#L293
The issue is similar to past contest issue (sherlock-audit/2022-12-notional-judging#16)
Impact
Loss of assets for the users as they deposited their assets but received zero vault shares in return OR they redeemed vault shares but did not receive any asset in return.
Code Snippet
https://github.com/sherlock-audit/2023-10-notional/blob/main/leveraged-vaults/contracts/vaults/common/SingleSidedLPVaultBase.sol#L229
https://github.com/sherlock-audit/2023-10-notional/blob/main/leveraged-vaults/contracts/vaults/common/SingleSidedLPVaultBase.sol#L293
Tool used
Manual Review
Recommendation
Consider reverting if no strategy token is minted during the deposit and no assets are returned during redemption.
If this issue has already been addressed by enforcing the minimum amount to prevent rounding to zero on the Notional V3 side as per the Discord message (https://discord.com/channels/812037309376495636/1175450365395751023/1177024379780083732), this issue can be ignored.
However, care should be taken if there are other integrations with the leverage vault in the future that do not explicitly enforce such restrictions.
The text was updated successfully, but these errors were encountered: