In Buyout.cash() function, users will burn their fractions to cash out ETH. The ETH amount is proportionate the number of fractions they have. So when someone burn fractions, total amount of ETH (ethBalance) should be updated accordingly. But in cash() function, there is no update for ethBalance.
The result is some last users may unable to cash out because actual ETH balance of vault is zero.
Proof of Concept
Vault currently has ethBalance = 1e18, totalSupply = 1e18.
Alice cash out 5e17 fractions token. She will receive 5e17 wei. Now, totalSupply = 5e17 but ethBalance is not updated and still = 1e18. But actually the vault ETH balance is only 5e17 now
Alice continue cash out 4e17 fractions token. She will receive
ecmendenhall
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-07-fractional/blob/8f2697ae727c60c93ea47276f8fa128369abfe51/src/modules/Buyout.sol#L244
Vulnerability details
Impact
In
Buyout.cash()function, users will burn their fractions to cash out ETH. The ETH amount is proportionate the number of fractions they have. So when someone burn fractions, total amount of ETH (ethBalance) should be updated accordingly. But incash()function, there is no update forethBalance.The result is some last users may unable to cash out because actual ETH balance of vault is zero.
Proof of Concept
ethBalance = 1e18,totalSupply = 1e18.5e17fractions token. She will receive5e17wei. Now,totalSupply = 5e17butethBalanceis not updated and still= 1e18. But actually the vault ETH balance is only 5e17 now4e17fractions token. She will receiveSo Alice TX will be reverted because there is not enough balance.
Tools Used
Manual Review
Recommended Mitigation Steps
Update
ethBalanceafter cash out