Open code423n4 opened 12 months ago
asselstine marked the issue as sponsor confirmed
Picodes marked the issue as satisfactory
Picodes marked the issue as primary issue
Picodes marked the issue as duplicate of #435
Picodes marked the issue as selected for report
Fixed in the following PR: https://github.com/GenerationSoftware/pt-v5-vault/pull/11
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L407-L415
Vulnerability details
Impact
It is theoretically possible for the deposit amount to mint shares more than the
maxMint
amountProof of Concept
The deposit function has a check for
maxDeposit
and reverts if the deposit value is more than max(uint96). But, it does not check the shares to be less thanmaxMint
amount and hence bypasses this check. Theoretically, if the assets are equal to max(uint96) and if the vault is under-collateralised, the ratio of_assetUnit
to_exchangeRate
is greater than or equal to 2, then the calculation in_convertToShares
:_assets.mulDiv(_assetUnit, _exchangeRate, _rounding);
could return a value more than themaxMint
amount. This is possible in those scenarios where the_assetUnit
is a big enough number (possible, as there is no limit on the decimals of the underlying asset, and_assetUnit = 10 ** super.decimals()
) and the Vault is severely under-collateralized.Tools Used
Manual Review
Recommended Mitigation Steps
Include the maxMint check in the deposit function to prevent this problem.
Assessed type
Invalid Validation