A non-standard ERC4626 vault could cause significant issues for Spectra.

[c4-bot-7]

Lines of code

https://github.com/code-423n4/2024-02-spectra/blob/383202d0b84985122fe1ba53cfbbb68f18ba3986/src/tokens/PrincipalToken.sol#L430-L438

Vulnerability details

Impact

The previewDeposit and previewDepositIBT functions in PrincipalToken.sol rely on the IBT vault's previewDeposit to determine the expected minted shares: previewDeposit & previewDepositIBT

function previewDeposit(uint256 assets) public view override returns (uint256) {
    uint256 ibts = IERC4626(ibt).previewDeposit(assets);
    return _previewDepositIBT(ibts);
}

function previewDepositIBT(uint256 ibts) external view override returns (uint256) {
    return _previewDepositIBT(ibts);
}

A malicious IBT vault could exploit this by manipulating previewDeposit to return inconsistent values. For example:

function previewDeposit(uint assets) external view returns (uint) {

  // Return double the expected ibts
  return assets * 2;

}

When users deposit based on the inflated previewDeposit value, more PT shares would be minted than expected based on the actual ibts deposited into the vault. This disproportionately dilutes existing PT holders by minting excess shares.

Tools Used

Manual review

Recommended Mitigation Steps

Introduce safeguards around the use of previewDeposit.

• Include a tolerance range. If the actual deposited IBTs differ significantly from the preview value, either block the deposit or trigger an alert.
• Use historical data on deposits and share issuance to detect suspicious discrepancies.

If possible, restrict interaction with IBT vaults to only those that are known to be reliable and have undergone security audits. Maintain a whitelist of approved vaults.

Assessed type

Error

[c4-pre-sort]

gzeon-c4 marked the issue as duplicate of #158

[c4-pre-sort]

gzeon-c4 marked the issue as sufficient quality report

[c4-judge]

JustDravee marked the issue as unsatisfactory: Invalid