search

code-423n4 / 2021-09-yaxis-findings

0 stars 0 forks source link

Issue in balance update in `setCap` #147

Closed code423n4 closed 2 years ago

code423n4 commented 3 years ago

Handle

0xsanson

Vulnerability details

Impact

During Controller.setCap we change _vaultDetails[_vault].balance to _vaultDetails[_vault].balance.sub(_balance). This is wrong, and the correct value should be _vaultDetails[_vault].balance.sub(_diff), because _diff is the value withdrawn from the strategy. High risk because this is an accounting error that propagates though the function balance() in Vault.sol, so for all deposits/withdraws.

Tools Used

editor

Recommended Mitigation Steps

Correct using _diff instead of _balance.

gpersoon commented 3 years ago

Duplicate of #1

GalloDaSballo commented 2 years ago

Duplicate of #1