Closed code423n4 closed 1 year ago
trust1995 marked the issue as duplicate of #848
trust1995 marked the issue as satisfactory
trust1995 changed the severity to QA (Quality Assurance)
trust1995 marked the issue as grade-b
0xBebis marked the issue as sponsor disputed
deposit whitelist
Lines of code
https://github.com/code-423n4/2023-02-ethos/blob/73687f32b934c9d697b97745356cdf8a1f264955/Ethos-Vault/contracts/ReaperVaultV2.sol#L319
Vulnerability details
Impact
The attack vector and impact is the same as TOB-YEARN-003, where users may not receive shares in exchange for their deposits if the total asset amount has been manipulated through a large “donation”.
Inside the
_deposit
functionReaperVaultV2.sol:334
calculates the_freefunds
with the help of functionfreefunds()
by using thebalance()
function. The balance function in-turn relies onbalanceOf(address.this)
. The current implementation of this function is susceptible to an attack where the attacker will front-run the first deposit to the pool and inflate the price per share.Proof of Concept
Attack Steps
ReaperVaultV2
contract to greatly inflate the share’s price.shares = (_amount * totalSupply()) / freeFunds
. The vault has issued 1 share and has 10 wETH as its token balance. Thus, theshares = (5 wETH * 1)/10 wETH
which when rounded down will be 0.Tools Used
Manual Review
Recommended Mitigation Steps
Issue the first few shares to address(0) which will make the attack unfeasible.