Closed code423n4 closed 2 years ago
I don't think this is an issue; it's just how the protocol works. We'll have a backend to rebalance the investment percentage.
I have a hard time viewing this as an issue. The flexibility is a feature and this protocol clearly requires some active management. Invalid.
Handle
pedroais
Vulnerability details
Impact
Withdrawals will increase protocol risk for the rest of the users. Users could lose all their money even if only 50% was invested in the first place.
Proof of Concept
-A vault is created with risky strategy and a max investment percentage of 50% and users (correctly) trust the admins to not increase it.
-Various users deposit into the vault knowing only 50% of their funds are at risk
-One or various users withdraws their money and that money comes 100% from the portion that's not invested
-This means the investPerc public variable will still be 50% but the real percentage could be a lot bigger
-This could lead to a state in which 100% of the funds are at risk even if investPerc is 50%