Closed c4-bot-5 closed 5 months ago
This is yet another report without POC or legit proof. Please pay attention to the code base, you can clearly see there's a lot of tests proving you are wrong.
1) All pools are initialized with pseudoTotalPool never 0
it is always 1E3 aka GHOST_AMOUNT
2) Take a look here: https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/PoolManager.sol#L248
You will see that when the pool is created the amount of pseudoTotalPool is NOT equal to 0
https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WiseLendingDeclaration.sol#L188
So even the first statement and the title of this submission is already wrong
The first deposit of each pool token will revert
- WRONGwhen deposit in wise lending,beacuse of the initial number of lendingPoolData[_poolToken].pseudoTotalPool is zero
- WRONGGalloDaSballo marked the issue as insufficient quality report
I agree with the Sponsor that such a report purposefully removed the POC as obfuscation, these types of reports should have a POC instead of a wall of text
trust1995 marked the issue as unsatisfactory: Insufficient proof
Lines of code
https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/MainHelper.sol#L33-L45
Vulnerability details
when deposit in wise lending,beacuse of the initial number of lendingPoolData[_poolToken].pseudoTotalPool is zero,so it will revert in _calculateShares function
Impact
all token can't deposit in wise lending in unsolely model.
Proof of Concept
Use depositExactAmount function as example:
https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WiseLending.sol#L469-L474
it will call _handleDeposit:
https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WiseCore.sol#L115-L121
And call calculateLendingShares to calculate share:
https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/MainHelper.sol#L17C14-L45
When pseudoTotalPool is zero, _calculateShares will revert, because divide zero will revert.
So all pool token can't deposit because the initial number of lendingPoolData[_poolToken].pseudoTotalPool is zero.
Tool Used
foundary、vscode
Recommended Mitigation Steps
Add the processing logic of lendingPoolData[_poolToken].pseudoTotalPool == 0
Assessed type
Math