`vToken`s may not be minted in `IndexLogic.mint` function

[code423n4]

Lines of code

https://github.com/code-423n4/2022-04-phuture/blob/594459d0865fb6603ba388b53f3f01648f5bb6fb/contracts/IndexLogic.sol#L47 https://github.com/code-423n4/2022-04-phuture/blob/594459d0865fb6603ba388b53f3f01648f5bb6fb/contracts/IndexLogic.sol#L55

Vulnerability details

Impact

In function mint of contract IndexLogic a vToken is

• created/returned
• its state _is not changed
• and then vToken.mint() is called

In the case that the vToken is merely returned instead of being created this means that no vault tokens will be minted since the state of the vToken instance must change in order for the call to vToken._mint to do anything.

The impact is that no tokens would be minted in this case.

Perhaps this particular scenario never occurs in practice, but this is very hard to know without knowing how IvToken.createOrReturnVTokenOf is implemented. Only the interface to this function was provided for this audit.

Proof of Concept

On line 47 we have

47    IvToken vToken = IvToken(IvTokenFactory(vTokenFactory).createOrReturnVTokenOf(assets.at(i)));

Later on line 55 we have

55    vToken.mint();

In between these lines there are calls to vToken.lastBalance() and vToken.lastAssetBalanceOf(address(this)) but both of these functions are marked view which means they do not change the state of the vToken.

If the vToken was merely returned on line 47 then vToken.mint() will not mint any more tokens when called on line 55.

Tools Used

Manual inspection

Recommended Mitigation Steps

Consider adding a check for whether the vToken contract was only returned on line 55.

If so, a deposit must be made into the vToken in order to increase its total supply, in order to cause anything to be minted.

[jn-lp]

vToken is always returned by this function

[moose-code]

Again its not ideal at all that code interacting with audit code is not supplied, but a fair assumption in this case. Siding with sponsor