Double counting issue with balanceOfThis and therefore withdraw
In
balanceOfThis,
if a token is present in the vault tokens list twice, it's balance is
counted twice, leading to double counting in the balanceOfThis
computation
function balanceOfThis()
public
view
returns (uint256 _balance)
{
address[] memory _tokens = manager.getTokens(address(this));
for (uint8 i; i < _tokens.length; i++) {
address _token = _tokens[i];
_balance = _balance.add(_normalizeDecimals(_token, IERC20(_token).balanceOf(address(this))));
}
}
Since
withdraw
function uses balanceOfThis to compute the amount to be sent back,
this will lead to user withdrawing more money than they should have.
Issue with removeToken
The problem is that the function
removeToken
seem to assume that all tokens are only present once in the dynamic
array. This means that if you add the same token twice, the call to
removeToken only removes it once. This could potentially create
issues.
Recommended Mitigation Steps
Unfortunately, checking this on chain with the current dynamic array
architecture will be expensive. It is recommended to use a mapping or an
enumerable set / mapping instead. The following is a sample
implementation.
Handle
hrkrshnn
Vulnerability details
addToken
does not check if the token was already addedThe function addToken does not check if the token was already present.
Double counting issue with
balanceOfThis
and thereforewithdraw
In balanceOfThis, if a token is present in the
vault
tokens list twice, it's balance is counted twice, leading to double counting in thebalanceOfThis
computationSince withdraw function uses
balanceOfThis
to compute the amount to be sent back, this will lead to user withdrawing more money than they should have.Issue with
removeToken
The problem is that the function removeToken seem to assume that all tokens are only present once in the dynamic array. This means that if you add the same token twice, the call to
removeToken
only removes it once. This could potentially create issues.Recommended Mitigation Steps
Unfortunately, checking this on chain with the current dynamic array architecture will be expensive. It is recommended to use a mapping or an enumerable set / mapping instead. The following is a sample implementation.