Open code423n4 opened 2 years ago
The warden has identified what is most likely a small oversight, which would have drastic consequences in the internal accounting of the Vault. Because of impact, I agree with high severity.
Will make this finding primary because it shows full details and a POC.
The sponsor has mitigated
Lines of code
https://github.com/Rari-Capital/solmate/blob/8c0e278900fe552fa0739975bde21c6a07d84ccf/src/mixins/ERC4626.sol#L67
Vulnerability details
Impact
The
ERC4626.mint
function mintsamount
instead ofshares
. This will lead to issues when theasset <> shares
are not 1-to-1 as will be the case for most vaults over time. Usually, the asset amount is larger than the share amount as vaults receive asset yield. Therefore, when minting,shares
should be less thanamount
. Users receive a larger share amount here which can be exploited to drain the vault assets.POC
Assume
vault.totalSupply() = 1000
,totalAssets = 1500
mint(shares=1000)
. Only need to pay1000
asset amount but receive1000
shares =>vault.totalSupply() = 2000
,totalAssets = 2500
.redeem(shares=1000)
. Receive(1000 / 2000) * 2500 = 1250
amounts. Make a profit of250
asset tokens.shares <> assets
are 1-to-1Recommended Mitigation Steps
In
deposit
: