Closed c4-bot-6 closed 3 months ago
cryptotechmaker (sponsor) disputed
I don't understand what's the issue here. When something is deposited to YB it's deposited either in amount
or shares
.
dmvt marked the issue as primary issue
dmvt marked the issue as selected for report
This issue is invalid. It shows no attack path or exploit scenario.
The report states It may result in the user receiving lower shares than expected from depositing
. Receiving more or less shares does not constitute as loss of funds. If the user is unable to recover the amount of funds they had deposited by burning their received shares, THEN the user has lost funds. But this report does not describe any such scenario.
The report has no POC to show any loss, does not describe any loss of funds for the user. Even simple erc4626 vaults can have unpredictable share ratios, however that is not an issue. It is only an issue if these share ratios are manipulatable in some way, which is not demonstrated here.
There is no factual argument given here showing any loss, and the yieldbox works exactly as intended.
Agreed. This is a bad click on my part which I'm going to chalk up to the tooling issues experienced in this contest.
dmvt marked the issue as unsatisfactory: Insufficient proof
Lines of code
https://github.com/Tapioca-DAO/tapioca-periph/blob/032396f701be935b04a7e5cf3cb40a0136259dbc/contracts/Magnetar/modules/MagnetarMintCommonModule.sol#L150 https://github.com/Tapioca-DAO/tapioca-periph/blob/032396f701be935b04a7e5cf3cb40a0136259dbc/contracts/Magnetar/modules/MagnetarAssetModule.sol#L95 https://github.com/Tapioca-DAO/tapioca-periph/blob/032396f701be935b04a7e5cf3cb40a0136259dbc/contracts/Magnetar/modules/MagnetarCollateralModule.sol#L83
Vulnerability details
Description
There are many functions of Magnetar's modules which attempt to deposit assets into YieldBox. For example, in the
_depositYBLendSGL
function of MagnetarMintCommonModuleHowever, there is no slippage check for depositing assets into YieldBox, while the ratio between shares and the amount in YieldBox always fluctuates (see code snippet). It may result in the user receiving lower shares than expected from depositing.
Impact
When using Magnetar's functions, users will face risks from the fluctuation of YieldBox's shares and amounts, which may lead to unexpected losses when depositing to YieldBox.
Tools Used
Manual review
Recommended Mitigation Steps
Slippage checks should be added whenever depositing to YieldBox
Assessed type
Other