A certain amount of lp tokens (shares of the vault) will be minted to the strategyPerformanceTreasury as performanceFee, the amount is calculated based on the minLpPriceFactor.
However, the current formula for toMint is wrong, which issues more than 100% of the current totalSupply of the lp token to the strategyPerformanceTreasury each time. Causing users to lose 50% to 100% of their funds after a few times.
Alice deposited 1,000 USDC, received 1000 lpToken; the totalSupply of the lpToken is now: 1000;
3 days later, baseTvl increased to 1,001 USDC, Bob deposited 1 USDC and trigegred _chargeFees():
Expected Result: strategyPerformanceTreasury to receive about 0.01 lpToken (1% of 1 USDC);
Actual Result: minLpPriceFactor is about 1.001, and strategyPerformanceTreasury will received 1001 lpToken as performanceFee; Alice lose 50% of deposited funds.
Handle
WatchPug
Vulnerability details
A certain amount of lp tokens (shares of the vault) will be minted to the
strategyPerformanceTreasuryasperformanceFee, the amount is calculated based on theminLpPriceFactor.However, the current formula for
toMintis wrong, which issues more than 100% of the current totalSupply of the lp token to thestrategyPerformanceTreasuryeach time. Causing users to lose 50% to 100% of their funds after a few times.https://github.com/code-423n4/2021-12-mellow/blob/6679e2dd118b33481ee81ad013ece4ea723327b5/mellow-vaults/contracts/LpIssuer.sol#L269-L271
PoC
Given:
strategyParams.performanceFee:10e7(1%)1,000 USDC, received1000lpToken; the totalSupply of the lpToken is now:1000;baseTvlincreased to1,001 USDC, Bob deposited1 USDCand trigegred_chargeFees():strategyPerformanceTreasuryto receive about0.01lpToken (1% of 1 USDC);minLpPriceFactoris about1.001, andstrategyPerformanceTreasurywill received1001lpToken as performanceFee; Alice lose 50% of deposited funds.Recommendation
Change to: