Open c4-bot-5 opened 5 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as primary issue
hansfriese marked the issue as unsatisfactory: Insufficient proof
hansfriese marked the issue as satisfactory
QA is more appropriate.
hansfriese changed the severity to QA (Quality Assurance)
hansfriese marked the issue as grade-a
See my comment on #335.
Upgrade to Medium for the same reason as #335.
hansfriese removed the grade
This previously downgraded issue has been upgraded by hansfriese
hansfriese marked the issue as satisfactory
hansfriese marked the issue as selected for report
mitigation: https://github.com/GenerationSoftware/pt-v5-vault/pull/97 See https://github.com/GenerationSoftware/pt-v5-vault/pull/96 for more details
trmid (sponsor) confirmed
Lines of code
https://github.com/code-423n4/2024-03-pooltogether/blob/480d58b9e8611c13587f28811864aea138a0021a/pt-v5-vault/src/PrizeVault.sol#L922
Vulnerability details
Impact
maxWithdraw()
andmaxRedeem()
may return too much, violating EIP-4626.liquidatableBalanceOf()
may return too much.Proof of Concept
uses
yieldVault.convertToAssets()
which per EIP-4626 is only approximate. Especially, it might return too much, and thus_maxYieldVaultWithdraw()
might return too much._maxYieldVaultWithdraw()
is used inmaxWithdraw()
, inmaxRedeem()
, and inliquidatableBalanceOf()
which functions may thus return too much. In the case ofmaxWithdraw()
andmaxRedeem()
this violates EIP-4626.Recommended Mitigation Steps
Use
yieldVault.previewRedeem(yieldVault.maxRedeem(address(this)))
.Assessed type
ERC4626