Open code423n4 opened 1 year ago
Picodes marked the issue as duplicate of #5
Picodes marked the issue as selected for report
asselstine marked the issue as sponsor confirmed
Fixed in this PR: https://github.com/GenerationSoftware/pt-v5-vault/pull/6
Picodes marked the issue as satisfactory
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L550-L587
Vulnerability details
Impact
In the
liquidate
function from theVault
contract, the input argument_amountOut
is used as if it was representing a value of asset amount and share amount at the same time which is impossible a there a conversion rate between them, this error will makeliquidate
function behave in an expected manner, not the one that was intended.Proof of Concept
The issue is occurring in the
liquidate
function below :As you can see from the code above, the value of the argument
_amountOut
is used multiple times in the function logic and each time it is representing either an asset amount or a share amount which is impossible as there a conversion formula used to transform asset amount into share amount (and inversely) with the function_convertToShares
(or_convertToAssets
).From the function comments i couldn't figure out what the value of
_amountOut
actually represents, but because there is also another argument given to theliquidate
function which is_tokenOut == address(this)
, I'm supposing that_amountOut
is representing a share amount which will mean that all the instances highlighted in the code above when_amountOut
is considered as an asset amount are wrong.And before comparing
_amountOut
to the asset amount values :_vaultAssets
and_liquidableYield
, its value should be converted to an asset amount with the function_convertToAssets
.This issue will cause problems for the protocol working as the
liquidate
function logic will not behave as expected (because it's comparing values that represents different things).** Note : if
_amountOut
is actually representing an asset amount (not a share amount as i supposed), the issue is still valid because_amountOut
is also used as being a share amount inside theliquidate
function, in that case it should first be converted to a share amount with_convertToShares
in order to get the correct behavior of theliquidate
function.Tools Used
Manual review
Recommended Mitigation Steps
To solve this issue i recommend to first convert the value of
_amountOut
in theliquidate
function to an asset amount and store it in a local variable_amountOutToAsset
, and in the function logic use the correct variable (either_amountOut
or_amountOutToAsset
) when interacting with a share amount or an asset amount.Assessed type
Error