Closed code423n4 closed 1 year ago
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L518 https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L532
On every withdraw/redeem, assets in the vault will decrease faster than expected and finally, the vault will drain.
Vault._withdraw assumes _yieldVault.withdraw(_assets, address(this), address(this)); will return the same amount of tokens as _assets but this is not the case if _yieldVault is a fee-on-transfer token. https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L1026-L1027
Vault._withdraw
_yieldVault.withdraw(_assets, address(this), address(this));
_assets
_yieldVault
Manual review
Calculate the difference of the asset and transfer the amount to the receiver.
+ uint256 assetBefore = IERC20(asset()).balanceOf(address(this)); _yieldVault.withdraw(_assets, address(this), address(this)); + uint256 assetAfter = IERC20(asset()).balanceOf(address(this)); SafeERC20.safeTransfer(IERC20(asset()), _receiver, assetAfter - assetBefore);
Token-Transfer
Picodes marked the issue as duplicate of #470
Picodes marked the issue as satisfactory
Picodes marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L518 https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L532
Vulnerability details
Impact
On every withdraw/redeem, assets in the vault will decrease faster than expected and finally, the vault will drain.
Proof of Concept
Vault._withdraw
assumes_yieldVault.withdraw(_assets, address(this), address(this));
will return the same amount of tokens as_assets
but this is not the case if_yieldVault
is a fee-on-transfer token. https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L1026-L1027Tools Used
Manual review
Recommended Mitigation Steps
Calculate the difference of the asset and transfer the amount to the receiver.
Assessed type
Token-Transfer