In withdraw(), the withdrawal amount is the proportion of the normalized amounts of all the tokens in the vault and its strategies. However, this amount isn't un-normalized to the output token's decimals, thus leading to an erroneous token amount being withdrawn.
Proof of Concept
We take USDC as an example, since it has 6 decimals.
deposit(USDC, 1000e6): Deposit 1000 USDC into the vault. The user receives 1000 shares.
Handle
hickuphh3
Vulnerability details
Impact
In
withdraw()
, the withdrawal amount is the proportion of the normalized amounts of all the tokens in the vault and its strategies. However, this amount isn't un-normalized to the output token's decimals, thus leading to an erroneous token amount being withdrawn.Proof of Concept
We take USDC as an example, since it has 6 decimals.
deposit(USDC, 1000e6)
: Deposit1000
USDC into the vault. The user receives1000
shares.Attempt a full withdrawal
withdraw(1000e18, USDC)
The expected
_amount
is1000e6
as per the deposited amount. While the withdrawal will technically work because of the following lines:we note that this logic should only be applied under normal circumstances, where the
_amount
is assumed to be in the token decimals.Recommended Mitigation Steps
_amount
needs to be un-normalised back to its native token decimals.