When depositing to the vault, the _deposit() function checks that _assest is greater than the vaults assets. If the user input asset exceeds the vault assets, it doesn't allow depositing the full amount. But it uses vault funds instead.
Let's say the vault has 400e18 funds. Another user deposits using function deposit(500e18,user). Normally, the user needs to send 500e18 for 500 shares but can have 500 shares by only sending 100e18.
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L407-L415 https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L925-L963
Vulnerability details
Impact
Attacker can steal vaults funds.
Proof of Concept
When depositing to the vault, the _deposit() function checks that _assest is greater than the vaults assets. If the user input asset exceeds the vault assets, it doesn't allow depositing the full amount. But it uses vault funds instead.
Let's say the vault has 400e18 funds. Another user deposits using function deposit(500e18,user). Normally, the user needs to send 500e18 for 500 shares but can have 500 shares by only sending 100e18.
Deposit.t.sol
Tools Used
Manual Review
Recommended Mitigation Steps
Remove this check or
Track the deposited amount correctly and mint afterwards.
Assessed type
Other