asselstine
commented
11 months ago This issue speaks of deriving a price from balanceOf, but that isn't happening anywhere near the line that they linked.
Closed code423n4 closed 11 months ago
asselstine
commented
11 months ago This issue speaks of deriving a price from balanceOf, but that isn't happening anywhere near the line that they linked.
c4-sponsor
commented
11 months ago asselstine marked the issue as sponsor disputed
c4-judge
commented
11 months ago Picodes marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L578
Vulnerability details
Impact
Deriving price from balanceOf can be manipulated to liquidate vault see example https://solodit.xyz/issues/deriving-price-with-balanceof-is-dangerous-spearbit-connext-pdf Attacker can provide ERC20 token to the vaultAsset and mint vault shares. The deposited tokens will then be withdrawn with having same shares in the vault. The shares then will be used to liquidate the vault and causing loss of funds for other depositors.
Proof of Concept
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L578
Tools Used
Manual Review/ previous audit findings.
Recommended Mitigation Steps
The method in this regard is based on interlinking the assets provided with vault share with function of burning vault shares when asset provided is withdrawn.
Assessed type
Other