search

code-423n4 / 2023-01-astaria-findings

5 stars 2 forks source link

Vault does not work with underlying tokens that have 0 decimals #601

Open code423n4 opened 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/PublicVault.sol#L106

Vulnerability details

PublicVault.deposit() uses ERC4626-Cloned.deposit() to deposit funds into the vault.

264: return super.deposit(amount, receiver)

which checks the number of shares minted is higher than minDepositAmount()

27: require(shares > minDepositAmount(), "VALUE_TOO_SMALL");

For tokens with decimals != 18, PublicVault.minDepositAmount() returns the following:

106: return 10**(ERC20(asset()).decimals() - 1)

This will revert with an underflow error for tokens with decimals() == 0, meaning the vaults will not work with such tokens

Impact

Medium

Tools Used

Manual Analysis

Mitigation

Consider using a minDepositAmount parameter in newPublicVault, to allow strategists to set the minimum deposit to a constant of their choice.

Picodes commented 1 year ago

Downgrading to QA in the absence of a credible example of such token

c4-judge commented 1 year ago

Duplicate of https://github.com/code-423n4/2023-01-astaria-findings/issues/591