code423n4 commented 2 years ago

Handle

pedroais

Vulnerability details

Withdrawals will increase protocol risk for the rest of the users. Users could lose all their money even if only 50% was invested in the first place.

-A vault is created with risky strategy and a max investment percentage of 50% and users (correctly) trust the admins to not increase it.

-Various users deposit into the vault knowing only 50% of their funds are at risk

-One or various users withdraws their money and that money comes 100% from the portion that's not invested

-This means the investPerc public variable will still be 50% but the real percentage could be a lot bigger

-This could lead to a state in which 100% of the funds are at risk even if investPerc is 50%

Admins could solve this "manually" by bringing funds back after withdrawals but funds would still be at risk in the meantime and it's also not that easy since it could force admins to take money from the strategy at an undesired moment leading to more losses

gabrielpoca commented 2 years ago

I don't think this is an issue; it's just how the protocol works. We'll have a backend to rebalance the investment percentage.

dmvt commented 2 years ago

I have a hard time viewing this as an issue. The flexibility is a feature and this protocol clearly requires some active management. Invalid.