Open c4-bot-4 opened 6 months ago
0xEVom marked the issue as duplicate of #281
0xEVom marked the issue as sufficient quality report
jhsagd76 changed the severity to QA (Quality Assurance)
This previously downgraded issue has been upgraded by jhsagd76
jhsagd76 changed the severity to QA (Quality Assurance)
Lines of code
https://github.com/code-423n4/2024-03-revert-lend/blob/435b054f9ad2404173f36f0f74a5096c894b12b7/src/V3Vault.sol#L360-L363 https://github.com/code-423n4/2024-03-revert-lend/blob/435b054f9ad2404173f36f0f74a5096c894b12b7/src/V3Vault.sol#L366-L369 https://github.com/code-423n4/2024-03-revert-lend/blob/435b054f9ad2404173f36f0f74a5096c894b12b7/src/V3Vault.sol#L372-L375 https://github.com/code-423n4/2024-03-revert-lend/blob/435b054f9ad2404173f36f0f74a5096c894b12b7/src/V3Vault.sol#L378-L381
Vulnerability details
The
V3Vault::withdraw
function withdraws theassets
, parameter for the amount of asset, by burningshares
in theV3Vault::_withdraw
function subsequently called.The
V3Vault::deposit
function deposits theassets
, parameter for the amount of asset, by mintingshares
in theV3Vault::_deposit
function subsequently called.The
V3Vault::redeem
function redeems a specific amount of shares, by burning them and withdrawing in the corresponding amount of assets inV3Vault::_withdraw
function subsequently called.The
V3Vault::mint
function mints theassets
, parameter for the amount of asset, by mintingshares
in theV3Vault::_deposit
function subsequently called.It is theoretically possible for the deposit amount to mint shares more than the maximum mint-able amount, or for the withdraw amount to burn shares more than the maximum withdraw-able amount. It is also theoretically possible for the mint amount to deposit assets more than the maximum deposit-able amount, or for the redeem amount to withdraw assets more than the maximum withdraw-able amount.
However, there is neither protection against burning or minting too many user's shares for their specific
assets
, not protection against depositing or withdrawing too many user's assets for their specific amount of shares. Then themaxDeposit
,maxMint
,maxWithdraw
andmaxRedeem
functions ofV3Vault
should be used to protect user's shares.Proof of Concept
There is no check to validate if the minted/burned shares would exceed the maximum amount of shares that could've been minted/burned by V3Vault, nor check to validate if the deposited/withdrawn amount of assets would exceed the maximum amount of assets that could've been deposited/withdrawn.
However, the expression
amount.mulDiv(Q96, exchangeRateX96, rounding)
in theV3Vault::_convertToShares
function could return a value more than the maximum mint-able or the maximum redeem-able amount.As well, the expression
shares.mulDiv(exchangeRateX96, Q96, rounding)
in theV3Vault::_convertToAssets
function could return a value more than the maximum deposit-able amount or the maximum withdraw-able amount.This is possible if the vault get exploited or is severely under-collateralized.
User call
V3Vault::withdraw()
withassets = 1200
. Normally, the burned shares should be1000
. However, there's an exploit in the vault which makes the shares burned to= 100_000
, the entire user's shares.Impact
Users can lose their entire shares when withdrawing and obtain more shares with depositing due to lack of amount burned check. Users can obtain more assets when redeeming due to lack of check on amount of withdrawn assets.
Tools Used
Manual review
Recommended Mitigation Steps
Include the
maxMintable
,maxDepositable
,maxWithdrawable
andmaxRedeemable
check in theV3Vault
deposit, withdraw, redeem and mint corresponding functions.Below an example :
Assessed type
Invalid Validation