Closed code423n4 closed 1 year ago
I assume this is not the intended behavior and user are not supposed to send tokens in advance, unless they go through a router and do both actions in the same transaction.
Picodes changed the severity to QA (Quality Assurance)
Exactly, this is definitely not the intended behavior.
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L941-L957
Vulnerability details
Impact
Loss of funds from any vault created through
VaultFactory
, the funds can be swept by anyone after a legit deposit performed by a direct transfer.Proof of Concept
There are two main ways to deposit into a vault, according to the sponsor:
A contract can transfer assets to the
Vault
then call thedeposit()
function to deposit the additional balance.A contract can approve a
Vault
allowance and call thedeposit()
function. TheVault
will usesafeTransferFrom
to transfer-in the required tokens.Due to point 1, the vault is vulnerable to being swept by anyone. This is part of the deposit logic:
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L941-L957
Basically, if there are already some funds in the vault, and the deposited
_assets
are less or equal to_vaultAssets
, thesafeTransferFrom
will be skipped, but the shares will still be minted to the_receiver
.An attack would look like this:
deposit
function to get the sharesdeposit
call with_assets <= _vaultAssets
Tools Used
Manual review
Recommended Mitigation Steps
Consider always performing the transfer, even when there are enough funds inside the vault.
Assessed type
Invalid Validation