Closed c4-bot-4 closed 4 months ago
I've marked this as Mitigated based on the changes provided in the PR, because they were valid. However the final repo with all the fixes applied does NOT
fix this issue. An I have submitted it as a separate finding -> https://github.com/code-423n4/2024-04-revert-mitigation-findings/issues/64
jhsagd76 marked the issue as nullified
Lines of code
Vulnerability details
C4 Issue
М-12: Wrong global lending limit check in _deposit function
Issue Details
V3Vault.sol
defines aglobalLendLimit
variable that ensures the total amount of assets lent does not exceed the protocol limit - it is calculated in terms of the assets provided.The problem was that the
_deposit()
function incorrectly checked if theglobalLendLimit
is reached by comparing it against the totalshares
, without converting them toassets
first (as it should), becauseglobalLendLimit
is defined in terms ofassets
, notshares
Mitigation
PR-16 successfully mitigates the original issue by converting the shares to assets inside
_deposit()
before validatingglobalLendLimit
Conclusion
Mitigation Confirmed