search

code-423n4 / 2023-01-popcorn-findings

0 stars 0 forks source link

YearnAdapter allows user to redeem more vault shares than user has because of rounding #483

Open code423n4 opened 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-01-popcorn/blob/main/src/vault/adapter/yearn/YearnAdapter.sol#L166-L172 https://github.com/code-423n4/2023-01-popcorn/blob/main/src/vault/adapter/yearn/YearnAdapter.sol#L129-L137

Vulnerability details

Impact

YearnAdapter allows user to redeem more vault shares than user has because of rounding.

Proof of Concept

When user wants to withdraw, then his adapter shares are converted to the vault shares and withdrawn from it.

https://github.com/code-423n4/2023-01-popcorn/blob/main/src/vault/adapter/yearn/YearnAdapter.sol#L129-L137

    function convertToUnderlyingShares(uint256, uint256 shares)
        public
        view
        override
        returns (uint256)
    {
        return
            shares.mulDiv(underlyingBalance, totalSupply(), Math.Rounding.Up);
    }

convertToUnderlyingShares function is responsible for converting. As you can see it rounds up calculation and as result allows user withdraw more shares from vault then he has. Because of that some users can be not able to withdraw all their amount.

Tools Used

VsCode

Recommended Mitigation Steps

Round down here.

c4-sponsor commented 1 year ago

RedVeil marked the issue as sponsor acknowledged

c4-judge commented 1 year ago

dmvt changed the severity to QA (Quality Assurance)

c4-judge commented 1 year ago

dmvt marked the issue as grade-b