Closed code423n4 closed 1 year ago
When minting there will also be a call to https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L1176, updating the rate?
Picodes marked the issue as unsatisfactory: Insufficient proof
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L1176
Vulnerability details
Impact
If vault has depositors and its yield vault gets entirely wiped,
isVaultCollateralized
stays true.Allowing the next depositor (victim) to have their shares' worth immediately divided by the current amount of shares in that vault.
Proof of Concept
In
testUndercollateralizationExchangeRateReset
ofUndercollateralization.t.sol
change the line to burn all assets of the yield vault:observe by running
forge test --match-test testUndercollateralizationExchangeRateReset
thatassertEq(vault.isVaultCollateralized(), false);
is not passing anymore.Since the vault is still considered to be collateralized, a user can come and deposit in this vault that will:
mint them shares on a 1:1 basis (exchange rate is
_assetUnit
)update the exchange rate, this time taking into account that
_yieldVault.maxWithdraw(address(this))
is only that last user's depositSo their shares price will be immediately divided by the total amount of shares in the vault. Loss of funds.
Tools Used
Foundry
Recommended Mitigation Steps
Check
_totalSupplyAmount
if_withdrawableAssets
is 0 in_currentExchangeRate
Assessed type
Invalid Validation