Open c4-submissions opened 1 year ago
raymondfam marked the issue as low quality report
raymondfam marked the issue as primary issue
maxDeposit, maxMint, maxWithdraw, maxRedeem correlate to values returned by Centrifuge after request executions, NOT the way you perceived.
gzeon-c4 marked the issue as unsatisfactory: Invalid
gzeon-c4 removed the grade
does seems to be out of compliance since it is possible to have a nonzero maxDeposit but then removed from the member list
hieronx (sponsor) confirmed
Valid but low risk
gzeon-c4 changed the severity to QA (Quality Assurance)
gzeon-c4 marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-09-centrifuge/blob/main/src/LiquidityPool.sol#L129-L132 https://github.com/code-423n4/2023-09-centrifuge/blob/main/src/LiquidityPool.sol#L154-L157 https://github.com/code-423n4/2023-09-centrifuge/blob/main/src/LiquidityPool.sol#L164-L167 https://github.com/code-423n4/2023-09-centrifuge/blob/main/src/LiquidityPool.sol#L186-L189 https://github.com/code-423n4/2023-09-centrifuge/blob/main/src/InvestmentManager.sol#L349-L367 https://github.com/code-423n4/2023-09-centrifuge/blob/main/src/InvestmentManager.sol#L323-L347
Vulnerability details
Impact
The implementations of
maxDeposit
,maxMint
,maxWithdraw
,maxRedeem
do not take into account additional limits and revert conditions that are present in the corresponding action functions. Therefore themax
- functions may overestimate the amount in some cases. This breaks the on-chain composability of ERC4626 vaults.maxDeposit
According to the ERC-4626 specification,
maxDeposit
always returnsorderbook[user][liquidityPool].maxDeposit
.However, the implementation of the deposit flow in
InvestmentManager.processDeposit
has additional revert conditions:maxDeposit
must return 0 in the cases where executing the deposit would revert with"LiquidityPool/deposit-token-price-0"
or"InvestmentManager/trancheTokens-not-a-member"
.maxMint
,maxWithdraw
,maxRedeem
The analysis of
maxDeposit
applies analogously tomaxMint
,maxWithdraw
andmaxRedeem
:InvestmentManager.processMint
has the following revert conditions not handled bymaxMint
:"LiquidityPool/deposit-token-price-0"
,"InvestmentManager/trancheTokens-not-a-member"
.InvestmentManager.processWithdraw
has the following revert conditions not handled bymaxWithdraw
:"LiquidityPool/redeem-token-price-0"
.InvestmentManager.processRedeem
has the following revert conditions not handled bymaxRedeem
:"LiquidityPool/redeem-token-price-0"
.Additional sources of non-compliance
Due to the fact that the system handles withdraw/redeem action by syndicating them and executing them by a trusted party, these approval flows are not implemented.
The corresponding functions in
InvestmentManager
have theauth
modifier, meaning that they will revert ifLiquidityPool
is not a ward ofInvestmentManager
. This should not be the case if the system is configured correctly, however there is still a theoretical case of non-compliance.Tools Used
Manual Review
Recommended Mitigation Steps
The requirements by ERC4626 are there to make vaults composable by default.
0
in themax
-function if the additional revert conditions in theprocess-
functions.auth
modifier fromconvertToShares
andconvertToAssets
.Assessed type
ERC4626