search

code-423n4 / 2023-09-asymmetry-findings

2 stars 1 forks source link

AfEth withdrawing will not work when ratio will be 0 #13

Closed c4-submissions closed 9 months ago

c4-submissions commented 10 months ago

Lines of code

https://github.com/code-423n4/2023-09-asymmetry/blob/main/contracts/AfEth.sol#L175-L215

Vulnerability details

Impact

AfEth withdrawing will not work when ratio will be 0. It will be not possible to withdraw.

Proof of Concept

Any ratio for the 2 tokens of afEth can be set by owner. AfEth.withdraw function will not work in case if ratio will be 0, which means that safEth percentage is 0. This is because, safEth doesn't allow to unstake 0 amount.

Also, when ratio is e18, that means that vEth percentage is 0, but requestWithdraw function will still calculate withdraw time, which is not needed in this case and withdraw will be called.

Tools Used

VsCode

Recommended Mitigation Steps

First of all, calculate withdraw time only for vEth amount, not whole amount. Then in case if ratio is e18, then you don't need to do that. Also don't unstake/withdraw 0 shares for safEth and vEth.

Assessed type

Error

elmutt commented 9 months ago

https://github.com/asymmetryfinance/afeth/pull/159 and https://github.com/asymmetryfinance/afeth/pull/160

c4-judge commented 9 months ago

0xleastwood marked the issue as duplicate of #36

c4-judge commented 9 months ago

0xleastwood marked the issue as not a duplicate

c4-judge commented 9 months ago

0xleastwood marked the issue as duplicate of #18

0xleastwood commented 9 months ago

So technically this is a duplicate of #18 and #36 but it fails to really describe either one in full detail. Not sure how this should be treated, but I will try to duplicate this issue so that it can be partially rewarded for both. 50% for #18 and 25% for #36.

c4-judge commented 9 months ago

0xleastwood changed the severity to 3 (High Risk)

c4-judge commented 9 months ago

0xleastwood marked the issue as partial-50

c4-judge commented 9 months ago

0xleastwood changed the severity to QA (Quality Assurance)

c4-judge commented 9 months ago

This previously downgraded issue has been upgraded by 0xleastwood

c4-judge commented 9 months ago

0xleastwood changed the severity to QA (Quality Assurance)

c4-judge commented 9 months ago

This previously downgraded issue has been upgraded by 0xleastwood

c4-judge commented 9 months ago

0xleastwood marked the issue as full credit

c4-judge commented 9 months ago

0xleastwood marked the issue as not a duplicate

c4-judge commented 9 months ago

0xleastwood marked the issue as duplicate of #36

c4-judge commented 9 months ago

0xleastwood changed the severity to 3 (High Risk)

c4-judge commented 9 months ago

0xleastwood marked the issue as partial-25