Closed c4-bot-10 closed 5 months ago
raymondfam marked the issue as insufficient quality report
On top of comments on #186, deposit and minting are denied in lossy recovery mode:
https://github.com/code-423n4/2024-03-pooltogether/blob/main/pt-v5-vault/src/PrizeVault.sol#L874
raymondfam marked the issue as duplicate of #186
hansfriese marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-03-pooltogether/blob/main/pt-v5-vault/src/PrizeVault.sol#L441-L450
Vulnerability details
Impact
When
_totalAssets < totalDebt_
, shares and assets are not 1:1, butpreviewDeposit
andpreviewMint
still work as they are 1:1, and result in incorrect values. The impact is that user's withdraws will revert, as it tends to burn more shares than minted.Proof of Concept
As shown in
previewDeposit
andpreviewMint
, shares and assets are always 1:1.https://github.com/code-423n4/2024-03-pooltogether/blob/main/pt-v5-vault/src/PrizeVault.sol#L441-L450
But according to
previewWithdraw
, shares and assets are not always 1:1. When_totalAssets < totalDebt_
, one asset will return more shares.https://github.com/code-423n4/2024-03-pooltogether/blob/main/pt-v5-vault/src/PrizeVault.sol#L454-L467
Let's assume that
_totalAssets < totalDebt_
has occurred, and assume_totalAssets = 100
,totalDebt_ = 110
for simplicity. Consider the following scenario:previewDeposit
)previewWithdraw
). As long as the assets and shares is not 1:1, Alice cannot withdraw her all assets.Tools Used
VSCode
Recommended Mitigation Steps
Assessed type
Math