Closed code423n4 closed 1 year ago
asselstine marked the issue as disagree with severity
Picodes changed the severity to QA (Quality Assurance)
No funds would be lost, and why would anyone withdraw 0
Picodes marked the issue as grade-c
This fix has been implemented in the following PR: https://github.com/GenerationSoftware/pt-v5-vault/pull/18/files#diff-97c974f5c3c03a0cfcbc52a5b8b9ae2196d535754ff2034e2903de1fec23508aR1057
_assets
could be 0
if the exchange rate has been manipulated and the conversion from shares to assets returns 0
.
In this case, we should not burn shares in exchange of 0
assets and we revert with the custom error: WithdrawZeroAssets
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L518 https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L1026 https://github.com/aave/aave-v3-core/blob/master/contracts/protocol/libraries/logic/ValidationLogic.sol#L101
Vulnerability details
Impact
The transaction of the Vault#
withdraw()
will be reverted if a user assign0
into the_assets
parameter (of the Vault#withdraw()
) and the yield source of the yieldVault would be the Aave V3.Proof of Concept
When a user withdraw their deposited-asset from the Vault, the user call the Vault#
withdraw()
.Within the Vault#
withdraw()
, the Vault#_withdraw()
would be called like this: https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L518Within the Vault#
_withdraw()
, yieldVault#withdraw()
would be called like this: https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L1026However, within the Vault#
withdraw()
, if a user assign0
into the_assets
parameter and the yield source of the yieldVault would be the Aave V3, this transaction will be reverted. Because Aave V3 does not allow to withdraw0
amount like this: https://github.com/aave/aave-v3-core/blob/master/contracts/protocol/libraries/logic/ValidationLogic.sol#L101So the Vault#
withdraw()
will be reverted if the user assignzero
into the_assets
parameter in the Vault#withdraw()
.Tools Used
Recommended Mitigation Steps
Within the Vault#
withdraw()
, consider adding an input validation in order to check whether or not a user assign more than0 (zero)
into the_assets
parameter like this:Assessed type
Other