Redeem Function May Cause Unintended PT Share Loss

[c4-bot-5]

Lines of code

https://github.com/code-423n4/2024-02-spectra/blob/383202d0b84985122fe1ba53cfbbb68f18ba3986/src/tokens/PrincipalToken.sol#L229 https://github.com/code-423n4/2024-02-spectra/blob/383202d0b84985122fe1ba53cfbbb68f18ba3986/src/tokens/PrincipalToken.sol#L253

Vulnerability details

Impact

Users attempting to redeem small amounts of shares could lose these shares without receiving any underlying assets or IBTs.

Proof of Concept

The redeem Function allows users to redeem their PT shares in exchange for the underlying assets. It first converts the PT shares to IBTs using _convertSharesToIBTs before redeeming them from the IBT contract.

        assets = IERC4626(ibt).redeem(_convertSharesToIBTs(shares, false), receiver, address(this));

The _convertSharesToIBTs Function converts PT shares to IBTs with an option to round up or down the result.

  function _convertSharesToIBTs(
        uint256 _shares,
        bool _roundUp
    ) internal view returns (uint256 ibts) {

In the redeem function the roundup is set to false meaning it will always round down when converting to IBTs.

When users try to redeem a very small number of PT shares, the conversion might result in an IBT amount of zero due to rounding down consequently the redeemed assets becomes 0. This scenario could lead to a loss of shares for the user without receiving any assets in return.

Similar case with redeemIBT that will result in user being sent 0 IBTs when the shares to be redeemed are too small.

Tools Used

Manual Review

Recommended Mitigation Steps

Implement a minimum redeemable share amount to prevent rounding to zero or revert incase of 0 IBTs

Assessed type

Math

[c4-pre-sort]

gzeon-c4 marked the issue as insufficient quality report

[gzeon-c4]

user error

[c4-pre-sort]

gzeon-c4 marked the issue as duplicate of #246

[c4-judge]

JustDravee marked the issue as unsatisfactory: Invalid