NO CHECK TO VERIFY THE ELEMENTS OF `assetsAmounts[]` ARRAY IS IN THE SAME ORDER AS `assets[]` ARRAY, IF MISCONFIGURED COULD BREAK THE INTERNAL ACCOUNTING OF SHARE CALCULATION #867
In the ERC4626MultiToken.convertToShares() function, assetsAmounts are used to calculate the shares to mint. Here the assetsAmounts are expected to be passed in the order of the assets array. If there is any misconfiguration in the order, then it will affect the internal shares calculation since the weights[i] would be different for the respective assetsAmounts[i]. Hence the minted share amount could be erroneous which could impact the overall accounting of the protocol.
Proof of Concept
function convertToShares(uint256[] calldata assetsAmounts) public view virtual returns (uint256 shares) {
uint256 _totalWeights = totalWeights;
uint256 length = assetsAmounts.length;
if (length != assets.length) revert InvalidLength();
shares = type(uint256).max;
for (uint256 i = 0; i < length;) {
uint256 share = assetsAmounts[i].mulDiv(_totalWeights, weights[i]);
if (share < shares) shares = share;
unchecked {
i++;
}
}
}
Hence it is recommended to implement a validation to verify that the elements of the assetsAmounts[] array are in the correct order as the assets[] array. This can be done by passing in a struct array when calling the ERC4626MultiToken.deposit() function. Each struct should include the address of the respective asset and the corresponding assetsAmounts. This struct array should be passed into the ERC4626MultiToken.convertToShares() function from the deposit function. Inside the convertToShares function inside the for loop it can be checked if each of the address of the asset is in the correct order as of asset[] array. If the order is different the transaction should revert.
Lines of code
https://github.com/code-423n4/2023-05-maia/blob/main/src/erc-4626/ERC4626MultiToken.sol#L194-L208
Vulnerability details
Impact
In the
ERC4626MultiToken.convertToShares()
function,assetsAmounts
are used to calculate the shares to mint. Here theassetsAmounts
are expected to be passed in the order of theassets
array. If there is any misconfiguration in the order, then it will affect the internalshares
calculation since theweights[i]
would be different for the respectiveassetsAmounts[i]
. Hence the mintedshare
amount could be erroneous which could impact the overall accounting of the protocol.Proof of Concept
https://github.com/code-423n4/2023-05-maia/blob/main/src/erc-4626/ERC4626MultiToken.sol#L194-L208
Tools Used
VSCode and Manual Review
Recommended Mitigation Steps
Hence it is recommended to implement a validation to verify that the elements of the
assetsAmounts[]
array are in the correct order as theassets[]
array. This can be done by passing in a struct array when calling theERC4626MultiToken.deposit()
function. Each struct should include theaddress
of the respectiveasset
and the correspondingassetsAmounts
. This struct array should be passed into theERC4626MultiToken.convertToShares()
function from thedeposit
function. Inside theconvertToShares
function inside thefor
loop it can be checked if each of theaddress
of the asset is in the correct order as ofasset[]
array. If the order is different the transaction should revert.Assessed type
Other