c4-judge
commented
1 year ago Picodes marked the issue as primary issue
Closed code423n4 closed 1 year ago
c4-judge
commented
1 year ago Picodes marked the issue as primary issue
c4-sponsor
commented
1 year ago asselstine marked the issue as sponsor confirmed
c4-judge
commented
1 year ago Picodes marked the issue as duplicate of #124
c4-judge
commented
1 year ago Picodes marked the issue as satisfactory
c4-judge
commented
1 year ago Picodes marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L573-L575
Vulnerability details
Impact
liquidateis the only function where_increaseYieldFeeBalanceis called._increaseYieldFeeBalanceincreases the value of_yieldFeeTotalSupplyby some number of shares. The argument passed to_increaseYieldFeeBalanceshould be a number of shares. The value that is passed to_increaseYieldFeeBalancehas units of shares, because_amountOuthas units of shares, but the calculation is incorrect and can be manipulated.Proof of Concept
Take the value that is passed to
_increaseYieldFeeBalancehttps://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L573-L575
The exact value is
(_amountOut * FEE_PRECISION) / (FEE_PRECISION - _yieldFeePercentage) - _amountOut, but a simplified analogy will be easier to understand first. Take the formula( _amountOut * (100 / (100 - x)) ) - _amountOut. The fraction100 / (100 - x)has the smallest value of 1 when x = 0 and the greatest value of 100 when x = 99.Returning to the original value of
(_amountOut * FEE_PRECISION) / (FEE_PRECISION - _yieldFeePercentage) - _amountOut, the maximum value is when_yieldFeePercentage = FEE_PRECISION - 1so that the resulting value is(_amountOut * FEE_PRECISION) - _amountOutwhich can be simplified to_amountOut * (FEE_PRECISION - 1). BecauseFEE_PRECISIONis a constant with value 1e9, this means_yieldFeeTotalSupplycan increase by 9 orders of magnitude greater than the_amountOutnumber of shares passed toliquidate.Tools Used
Manual review
Recommended Mitigation Steps
Consider passing the value
_amountOut * (FEE_PRECISION - _yieldFeePercentage) / FEE_PRECISIONto_increaseYieldFeeBalance.Assessed type
Math