M-14 MitigationConfirmed

[c4-bot-8]

Lines of code

Vulnerability details

C4 issue

M-14: V3Vault is not ERC-4626 compliant

Comments

Revert's V3Vault complies with EIP-4626. Unfortunately, for the maxDeposit(), maxMint(), maxWithdraw(), and maxRedeem() functions, Revert does not correctly apply the standards set forth in the EIP documentation. These requirements that are missing include:

• Returning the correct amount that is allowed to be transferred and not cause a revert.
• Return 0 if the functionality is disabled.

These requirements were not applied to any of these functions. These missing requirements are due to not accounting for lend/debt increase limits, available balances in the vault, and lend limits.

Other Mitigations Complete

PR #15

Revert mitigates this issue by updating the 4626-compliant functions maxDeposit(), maxMint(), maxWithdraw(), and maxRedeem(). These updates include:

• maxDeposit()
  • Checks that the global lend limit has not exceeded, otherwise return 0.
  • Checks that the daily lend limit has not reached 0. If it's been reached, return 0. Otherwise return how much daily limit is left. Denomination is in assets.
• maxMint()
  • Checks that the global lend limit has not exceeded, otherwise return 0.
  • Checks that the daily lend limit has not reached 0. If it's been reached, return 0. Otherwise return how much daily limit is left. Denomination is in shares.
• maxWithdraw()
  • Checks that the total owner's balance can be withdrawn. Does this by ensuring the Vault's total asset balance does not exceed the user's balance. If the user's balance exceeds Revert's balance, return the user's balance. Denomination is in shares.
• maxRedeem()
  • Checks that the total owner's balance can be withdrawn. Does this by ensuring the Vault's total share balance does not exceed the user's share balance. If the user's balance exceeds Revert's balance, return the user's balance. Denomination is in shares.

In addition, the following misc change was made:

• Rename V3Vault._getAvailableBalance() to V3Vault._getBalanceAndReserves(). The updated _getBalanceAndReserves() function also removes the available return value. This is no longer necessary in the code and Revert has applied the correct changes to account for no longer needing this value.

Anything Else I Should Know

This mitigation introduced a new issue that I posted in a separate ticket. I intentionally left this out and wanted to make note that all other mitigations for this issue are fixed.

[c4-judge]

jhsagd76 marked the issue as nullified

[c4-judge]

jhsagd76 marked the issue as satisfactory

[c4-judge]

jhsagd76 marked the issue as confirmed for report