When msg. sender is not the owner. Below line can cause an arithmetic underflow/overflow error when allowance is not sufficient. This should be gracefully handled.
if (msg.sender != owner)
_approve(owner, msg.sender, allowance(owner, msg.sender) - shares);
Proof of Concept
Here is a simple foundry test that I added to Vault.t.sol
Lines of code
https://github.com/code-423n4/2023-01-popcorn/blob/d95fc31449c260901811196d617366d6352258cd/src/vault/Vault.sol#L230-L231 https://github.com/code-423n4/2023-01-popcorn/blob/d95fc31449c260901811196d617366d6352258cd/src/vault/Vault.sol#L260-L261
Vulnerability details
Impact
File: Vault.sol
Functions: withdraw() and redeem()
When msg. sender is not the owner. Below line can cause an arithmetic underflow/overflow error when allowance is not sufficient. This should be gracefully handled.
Proof of Concept
Here is a simple foundry test that I added to Vault.t.sol
Tools Used
Manual review.
Recommended Mitigation Steps
Add a check to make sure msg.sender has enough allowance from the owner. For example: