Closed code423n4 closed 2 years ago
This is a classic medium risk when using the definition provided by Code4rena:
2 — Med: Assets not at direct risk, but the function of the protocol or its availability could be impacted, or leak value with a hypothetical attack path with stated assumptions, but external requirements.
Fixed in the PR linked above
Handle
WatchPug
Vulnerability details
Even though it's unlikely in practice, but in theory, the underlying contract (
EthAnchor
) may suffer investment losses and causing decreasing of the PPS of AUST token. (There are codes that considered this situation in the codebase. eg. handling ofdepositShares > claimerShares
).However, when this happens, the late users will suffer more losses than expected than the users that withdraw earlier. The last few users may lose all their funds while the first users can get back 100% of their deposits.
PoC
Root Cause
When the strategy is losing money,
share / underlying
increases, therefore the computeddepositShares
:depositAmount * share / underlying
will increase unexpectedly.https://github.com/code-423n4/2022-01-sandclock/blob/a90ad3824955327597be00bb0bd183a9c228a4fb/sandclock/contracts/Vault.sol#L544-L548
While
totalShares
remain unchanged, but the computeddepositShares
is increasing, causing distortion ofdepositShares / totalShares
, eg,∑ depositShares > totalShares
.Recommendation
In order to properly handle the investment loss of the strategy, consider adding a new storage variable called
totalLoss
to maintain a stable value ofshare / adjustedUnderlying
.