c4-sponsor
commented
11 months ago asselstine marked the issue as sponsor confirmed
Open code423n4 opened 12 months ago
c4-sponsor
commented
11 months ago asselstine marked the issue as sponsor confirmed
c4-judge
commented
11 months ago Picodes marked the issue as satisfactory
c4-judge
commented
11 months ago Picodes marked the issue as primary issue
c4-judge
commented
11 months ago Picodes marked the issue as duplicate of #435
Picodes
commented
11 months ago c4-judge
commented
11 months ago Picodes marked the issue as selected for report
PierrickGT
commented
11 months ago Fixed in the following PR: https://github.com/GenerationSoftware/pt-v5-vault/pull/11
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L407-L415
Vulnerability details
Impact
It is theoretically possible for the deposit amount to mint shares more than the
maxMintamountProof of Concept
The deposit function has a check for
maxDepositand reverts if the deposit value is more than max(uint96). But, it does not check the shares to be less thanmaxMintamount and hence bypasses this check. Theoretically, if the assets are equal to max(uint96) and if the vault is under-collateralised, the ratio of_assetUnitto_exchangeRateis greater than or equal to 2, then the calculation in_convertToShares:_assets.mulDiv(_assetUnit, _exchangeRate, _rounding);could return a value more than themaxMintamount. This is possible in those scenarios where the_assetUnitis a big enough number (possible, as there is no limit on the decimals of the underlying asset, and_assetUnit = 10 ** super.decimals()) and the Vault is severely under-collateralized.Tools Used
Manual Review
Recommended Mitigation Steps
Include the maxMint check in the deposit function to prevent this problem.
Assessed type
Invalid Validation