c4-sponsor
commented
1 year ago RedVeil marked the issue as disagree with severity
Open code423n4 opened 1 year ago
c4-sponsor
commented
1 year ago RedVeil marked the issue as disagree with severity
c4-sponsor
commented
1 year ago RedVeil marked the issue as sponsor disputed
c4-judge
commented
1 year ago dmvt changed the severity to QA (Quality Assurance)
c4-judge
commented
1 year ago dmvt marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-01-popcorn/blob/d95fc31449c260901811196d617366d6352258cd/src/vault/Vault.sol#L404-L406
Vulnerability details
Vulnerability Detail
MUST return the maximum amount of shares mint would allow to be deposited to receiver and not cause a revert, which MUST NOT be higher than the actual maximum that would be accepted (it should underestimate if necessary). This assumes that the user has infinite assets, i.e. MUST NOT rely on balanceOf of asset.
https://eips.ethereum.org/EIPS/eip-4626#:~:text=MUST%20return%20the%20maximum%20amount%20of%20shares,NOT%20rely%20on%20balanceOf%20of%20asset
MaxMint() should incompass the limitation of maxSupply.
Impact
Could cause unexpected behavior in the future due to non-compliance with EIP-4626 standard.
Tools Used
VScode
Recommended Mitigation Steps
MaxMint() should incompass the limitation of maxSupply Suggested change maxMint() to:
function maxMint(address) public view virtual returns (uint256) { if (totalSupply >= maxSupply) { return 0; } return maxSupply - totalSupply; }