in deposit, when the ratio totalSupply / balance is very high, the amount of the minted shares can round down to zero.
Proof of Concept
Alice is the first one to deposit to the insurance fund.
she deposits 1 basic unit of vusd (10-6 dollar), therefore minting one share.
then she transferred 1 million vusd to the contract.
then bob deposits 500,000 vusd. (500000 10**6 basic units)
the amount of shares he gets is 500000 10**6 1 / (1000000 106) = 0
therefore the number of shares didn't change but the balance increased by 500000 dollars.
Alice can now withdraw her share and receive her funds back together with bob funds, as he doesn't have any shares.
Lines of code
https://github.com/code-423n4/2022-02-hubble/blob/main/contracts/InsuranceFund.sol#L39
Vulnerability details
in deposit, when the ratio totalSupply / balance is very high, the amount of the minted shares can round down to zero.
Proof of Concept
Alice is the first one to deposit to the insurance fund. she deposits 1 basic unit of vusd (10-6 dollar), therefore minting one share. then she transferred 1 million vusd to the contract. then bob deposits 500,000 vusd. (500000 10**6 basic units) the amount of shares he gets is 500000 10**6 1 / (1000000 106) = 0 therefore the number of shares didn't change but the balance increased by 500000 dollars. Alice can now withdraw her share and receive her funds back together with bob funds, as he doesn't have any shares.
Recommended Mitigation Steps
change to: