Open c4-submissions opened 1 year ago
valid, we should calculate withdrawTime with the vEth amount but not the afEth amount. It is a dupe and will mark later
0xleastwood marked the issue as duplicate of #18
0xleastwood marked the issue as satisfactory
0xleastwood changed the severity to 3 (High Risk)
0xleastwood changed the severity to QA (Quality Assurance)
This previously downgraded issue has been upgraded by 0xleastwood
0xleastwood marked the issue as not a duplicate
0xleastwood changed the severity to QA (Quality Assurance)
This previously downgraded issue has been upgraded by 0xleastwood
This previously downgraded issue has been upgraded by 0xleastwood
0xleastwood removed the grade
0xleastwood changed the severity to QA (Quality Assurance)
elmutt (sponsor) confirmed
Lines of code
https://github.com/code-423n4/2023-09-asymmetry/blob/main/contracts/AfEth.sol#L235
Vulnerability details
Impact
AfEth.withdrawTime will show wrong(likely longer time)
Proof of Concept
AfEth.withdrawTime function should show how many time user will need to wait to witdraw some
amount
of afEth token.https://github.com/code-423n4/2023-09-asymmetry/blob/main/contracts/AfEth.sol#L234-L236
As you can see function forwards amount to the
vEthAddress.withdrawTime
function. This is actually incorrect as user will not withdrawamount
of vEth tokens, he will withdraw only part of it, that depends on ratio.As result function will likely show bigger time to withdraw, which can create problems when another protocol will integrate afEth.
Tools Used
VsCode
Recommended Mitigation Steps
Calculate withdraw time only for part of
_amount
.Assessed type
Error