Open code423n4 opened 1 year ago
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L960 https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L873
When users deposit their assets, the resulting shares might be zero due to rounding.
If this happens the transaction will not revert and no shares will be minted, but users will still lose their funds and gain nothing.
There are no checks for zero shares minted in deposit, nor in _deposit:
deposit
_deposit
function deposit(uint256 _assets, address _receiver) public virtual override returns (uint256) { if (_assets > maxDeposit(_receiver)) revert DepositMoreThanMax(_receiver, _assets, maxDeposit(_receiver)); uint256 _shares = _convertToShares(_assets, Math.Rounding.Down); _deposit(msg.sender, _receiver, _assets, _shares); return _shares; }
The issue can be replicated with the following steps:
_assets.mulDiv(_assetUnit, _exchangeRate, _rounding)
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L873
Resulting shares are zero as _rounding is down (this is correct and EIP-4626 compliant), but then the transaction doesn't revert.
_rounding
Bob transfered his _assets but he gains zero shares, losing his funds.
_assets
Manual review
Consider reverting the transaction if a deposit would result in zero shares minted.
Invalid Validation
Picodes changed the severity to QA (Quality Assurance)
Picodes marked the issue as grade-b
Fixed in the following PR: https://github.com/GenerationSoftware/pt-v5-vault/pull/17
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L960 https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L873
Vulnerability details
Impact
When users deposit their assets, the resulting shares might be zero due to rounding.
If this happens the transaction will not revert and no shares will be minted, but users will still lose their funds and gain nothing.
Proof of Concept
There are no checks for zero shares minted in
deposit
, nor in_deposit
:The issue can be replicated with the following steps:
deposit
function.https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L873
Resulting shares are zero as
_rounding
is down (this is correct and EIP-4626 compliant), but then the transaction doesn't revert.Bob transfered his
_assets
but he gains zero shares, losing his funds.Tools Used
Manual review
Recommended Mitigation Steps
Consider reverting the transaction if a deposit would result in zero shares minted.
Assessed type
Invalid Validation