Closed c4-bot-6 closed 3 months ago
0xRektora (sponsor) acknowledged
0xRektora marked the issue as disagree with severity
I'll put it as informational. Issue is valid but not in the context of Tapioca. Users can lock with USDO
only, which means only USDO
YB asset will be in TOLP
, and USDO
is a 1e18
decimal asset.
dmvt marked the issue as unsatisfactory: Overinflated severity
dmvt changed the severity to QA (Quality Assurance)
Lines of code
https://github.com/Tapioca-DAO/tap-token/blob/20a83b1d2d5577653610a6c3879dff9df4968345/contracts/options/TapiocaOptionBroker.sol#L74 https://github.com/Tapioca-DAO/tap-token/blob/20a83b1d2d5577653610a6c3879dff9df4968345/contracts/options/TapiocaOptionBroker.sol#L266 https://github.com/Tapioca-DAO/tap-token/blob/20a83b1d2d5577653610a6c3879dff9df4968345/contracts/options/TapiocaOptionBroker.sol#L284
Vulnerability details
Impact
Lack of consideration for underlying YieldBox token decimals when computing computeMinWeight
Proof of Concept
TapiocaOptionBroker has this state virtual total amount
when computing the min voting power, the function is called
we are adding
what is pool.totalDeposited?
pool.totalDeposited is the locked yield box shares
when user calling lock via TapiocaOptionLiquidityProvision contract,
the ybShares is the amount of share user transferred:
but underlying ybShares decimals is the token decimals in yield box contracts
which is calling the function
the decimal is the same as underlying token decimals.
this means if the underlying decimal is USDC / USDT, the decimal for yield box will be 6 instead of 18
then we are trying to add a 6 decimals number with 18 decimals default virtual amount setting
which makes the state pool.totalDeposited that derives from yield box shares too small and void out the position that has hasVotingPower for yield box that has small underlying token decimal
Note in the current implementation in TapiocaOptionBroker.sol
the problem can be resolved by resetting VIRTUAL_TOTAL_AMOUNT
but if we search across the codebase, the function above is never called even in test file, which shows that the protocol has no awareness for this issue before.
So the safe way to resolve this is avoid default unsafe VIRTUAL_TOTAL_AMOUNT amount
Tools Used
Manual Review
Recommended Mitigation Steps
Scale the VIRTUAL_TOTAL_AMOUNT = 10000 * 10 ** yieldBox.decimals()
Assessed type
Decimal