In the Vault.withdraw function an user burns _shares quantity of VaultTokens to get _amount of outputTokens back from the vault.
If the vault doesn't have enough tokens, even after withdrawing from the controller, they receive less tokens than they should; in other terms, they could have burned less tokens to receive the same output quantity.
Even if the users check the vault before sending the withdraw transaction, they can still be frontrun since there's no slippage-like parameter.
Tools Used
editor
Recommended Mitigation Steps
Suggested adding a way to compensate an user. For example by giving change in VaultTokens.
Handle
0xsanson
Vulnerability details
Impact
In the
Vault.withdraw
function an user burns_shares
quantity of VaultTokens to get_amount
of outputTokens back from the vault. If the vault doesn't have enough tokens, even after withdrawing from the controller, they receive less tokens than they should; in other terms, they could have burned less tokens to receive the same output quantity. Even if the users check the vault before sending the withdraw transaction, they can still be frontrun since there's no slippage-like parameter.Tools Used
editor
Recommended Mitigation Steps
Suggested adding a way to compensate an user. For example by giving change in VaultTokens.