Closed code423n4 closed 1 year ago
https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/GeVault.sol#L216 https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/GeVault.sol#L218
if liquidity is 0, one should be able to redeem all GEV tokens when calling GeVault.withdraw() according to intended design, see here
if (liquidity == 0) liquidity = balanceOf(msg.sender);
but this isn't going to happen due to a conflicting check i.e this
require(liquidity > 0, "GEV: Withdraw Zero");
It won't be possible to redeem all GEV tokens by passing 0 as liquidity when calling GeVault.withdraw().
This check
prevents the below line of code
LOFI Radio and Manual Review
remove this check
DoS
141345 marked the issue as low quality report
invalid
if (liquidity == 0) liquidity = balanceOf(msg.sender); then liquidity > 0
gzeon-c4 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/GeVault.sol#L216 https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/GeVault.sol#L218
Vulnerability details
Impact
if liquidity is 0, one should be able to redeem all GEV tokens when calling GeVault.withdraw() according to intended design, see here
but this isn't going to happen due to a conflicting check i.e this
It won't be possible to redeem all GEV tokens by passing 0 as liquidity when calling GeVault.withdraw().
Proof of Concept
This check
prevents the below line of code
Tools Used
LOFI Radio and Manual Review
Recommended Mitigation Steps
remove this check
Assessed type
DoS