In the migratePartnerVault() method, if vaultId == 0 means illegal address, but the id of the vaults starts from 0, resulting in the first vault being mistaken as an illegal vault address
Proof of Concept
In the migratePartnerVault() method, it will determine whether newPartnerVault is legal or not, by vaultId!=0 of vault
The code is as follows:
function migratePartnerVault(address newPartnerVault) external onlyOwner {
@> if (factory.vaultIds(IBaseVault(newPartnerVault)) == 0) revert UnrecognizedVault();
address oldPartnerVault = partnerVault;
if (oldPartnerVault != address(0)) IBaseVault(oldPartnerVault).clearAll();
bHermesToken.claimOutstanding();
But when factory adds vault, the index starts from 0, so the id of the first vault is 0
Lines of code
https://github.com/code-423n4/2023-05-maia/blob/54a45beb1428d85999da3f721f923cbf36ee3d35/src/maia/tokens/ERC4626PartnerManager.sol#L189
Vulnerability details
Impact
In the
migratePartnerVault()
method, if vaultId == 0 means illegal address, but the id of the vaults starts from 0, resulting in the first vault being mistaken as an illegal vault addressProof of Concept
In the
migratePartnerVault()
method, it will determine whethernewPartnerVault
is legal or not, by vaultId!=0 of vaultThe code is as follows:
But when
factory
adds vault, the index starts from 0, so the id of the first vault is 0PartnerManagerFactory.addVault()
The id of the first vault starts from 0, because in
constructor
does not add address(0) to the vaults similar topartners
So
migratePartnerVault()
can't be processed for the first vaultTools Used
Recommended Mitigation Steps
Similar to
partners
, in theconstructor
method, a vault with address(0) is added by default.Assessed type
Context