c4-judge
commented
1 year ago Picodes marked the issue as unsatisfactory: Invalid
Closed code423n4 closed 1 year ago
c4-judge
commented
1 year ago Picodes marked the issue as unsatisfactory: Invalid
Picodes
commented
1 year ago Donation would lead to the next depositor not having to bring assets in this case
Picodes
commented
1 year ago I think the donation attack may work if done in the yield vault token, but it's not the scenario here
c4-judge
commented
1 year ago Picodes marked the issue as satisfactory
c4-judge
commented
1 year ago Picodes marked the issue as duplicate of #341
c4-judge
commented
1 year ago Picodes changed the severity to 2 (Med Risk)
c4-judge
commented
1 year ago Picodes marked the issue as partial-50
c4-judge
commented
1 year ago Picodes marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L925-L963 https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L870-L873
Vulnerability details
Impact
The first depositor can be front run by an attacker and as a result, will lose a considerable part of the assets provided.
Proof of Concept
The vault calculates the amount of shares to be minted upon deposit to every user via the
convertToSharesfunction.When the pool has no share supply, the amount of shares to be minted is equal to the assets provided. An attacker can abuse this situation and profit from the rounding down operation when calculating the amount of shares if the supply is non-zero:
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L870-L873
This issue can be replicated with the following steps:
Tools Used
Manual review
Recommended Mitigation Steps
Require a minimum amount of initial shares to be minted and/or send part of the initial LP to the zero address.
Assessed type
ERC4626