c4-judge
commented
1 year ago dmvt marked the issue as duplicate of #15
Closed code423n4 closed 1 year ago
c4-judge
commented
1 year ago dmvt marked the issue as duplicate of #15
c4-sponsor
commented
1 year ago RedVeil marked the issue as sponsor confirmed
c4-judge
commented
1 year ago dmvt marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2023-01-popcorn/blob/main/src/vault/Vault.sol#L285-L287
Vulnerability details
Description
This is the classic share inflation attack described here: https://ethereum-magicians.org/t/address-eip-4626-inflation-attacks-with-virtual-shares-and-assets/12677
The popcorn Vault is an abstraction on top of other vaults which acts like adapters to wrap other yield bearing protocols. Hence the asset in Vault are the shares in this adapter.
An early user can get shares in the underlying vault by depositing assets directly there. Then deposit
1 weiinto the vault and donate the minted adapter shares to the vault. Effectively exploding the share value.Impact
An early user can drastically impact the share value for later users.
Proof of Concept
PoC test in
Vault.t.sol:Tools Used
manual audit, vs code, forge
Recommended Mitigation Steps
There are a couple of different approaches to mitigating this:
Burn first 1000 shares
In the same way that the asset ERC4626 contract keeps an internal balance the vault could
only allow Vault to deposit/mint in the adapter.
Follow the recommendation in https://ethereum-magicians.org/t/address-eip-4626-inflation-attacks-with-virtual-shares-and-assets/12677 and inflate the decimals in the shares.