Open c4-bot-2 opened 2 months ago
Picodes marked the issue as primary issue
This is correct but EIP-4626 is not listed in the compliance requirements, so unsure whether Medium or Low severity would be most appropriate (the impact of this is very limited given that it is only an issue in the maxMint
function, which is not used anywhere in the protocol or periphery).
Picodes marked the issue as satisfactory
Picodes marked the issue as selected for report
Picodes marked issue #501 as primary and marked this issue as a duplicate of 501
Picodes changed the severity to QA (Quality Assurance)
Picodes marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2024-04-panoptic/blob/833312ebd600665b577fbd9c03ffa0daf250ed24/contracts/CollateralTracker.sol#L446
Vulnerability details
Impact
CollateralTracker.maxMint()
is incorrect and violates EIP-4626.Proof of Concept
In CollateralTracker.sol
whereas
mint()
is only limited bywhere
previewMint()
isThis means that
maxMint()
should rather returntype(uint104).max * totalSupply * (DECIMALS - COMMISSION_FEE) / (totalAssets() * DECIMALS)
.There are several errors in the original
maxMint()
: the+
inDECIMALS + COMMISSION_FEE
, the inversion ofDECIMALS / (DECIMALS - COMMISSION_FEE)
, and the use ofconvertToShares()
. The latter causes a rounding error from a multiplication on a division.CollateralTracker is an ERC4626 vault. Since
DECIMALS / (DECIMALS + COMMISSION_FEE) > (DECIMALS - COMMISSION_FEE) / DECIMALS
maxMint()
returns too much. This can also be seen in the test case below which on the current code reverts due toDepositTooLarge()
. This means thatmaxMint()
violates "MUST NOT be higher than the actual maximum that would be accepted (it should underestimate if necessary)".Paste the below test case into CollateralTracker.t.sol and run with
forge test --match-test test_maxMint
. This test should pass. It fails with the current code, but passes with the recommended fix below.Recommended Mitigation
Assessed type
ERC4626