Closed c4-bot-6 closed 5 months ago
https://github.com/code-423n4/2024-05-bakerfi/blob/59b1f70cbf170871f9604e73e7fe70b70981ab43/contracts/core/Vault.sol#L224 https://github.com/code-423n4/2024-05-bakerfi/blob/59b1f70cbf170871f9604e73e7fe70b70981ab43/contracts/core/Vault.sol#L254
An attacker can extract someone else's ShareReward
ShareReward
function deposit(address receiver) ....{ ..... uint256 amount = abi.decode(result, (uint256)); // shares = amount * totalSupply / _totalAssets shares = total.toBase(amount, false); _mint(receiver, shares); emit Deposit(msg.sender, receiver, msg.value, shares); }
_totalAssets = totalCollateralInEth - totalDebtInEth
function deployed(uint256 priceMaxAge) public view returns (uint256 totalOwnedAssets) { (uint256 totalCollateralInEth, uint256 totalDebtInEth) = _getPosition(priceMaxAge); totalOwnedAssets = totalCollateralInEth > totalDebtInEth ? (totalCollateralInEth - totalDebtInEth) : 0; }
withdrawAmount = share * totalAssets() / totalSupply()
When totalAssets > 0, the attacker can deposit and withdraw again and again, and the attacker will always get share until totalAssets = 0.
deposit
withdraw
share
vscode, manual
Modify the way rewards are distributed.
Error
Withdrawn by zhaojie
c4-bot-6
commented
5 months ago c4-bot-6
commented
5 months ago
Lines of code
https://github.com/code-423n4/2024-05-bakerfi/blob/59b1f70cbf170871f9604e73e7fe70b70981ab43/contracts/core/Vault.sol#L224 https://github.com/code-423n4/2024-05-bakerfi/blob/59b1f70cbf170871f9604e73e7fe70b70981ab43/contracts/core/Vault.sol#L254
Vulnerability details
Impact
An attacker can extract someone else's
ShareRewardProof of Concept
_totalAssets = totalCollateralInEth - totalDebtInEth
withdrawAmount = share * totalAssets() / totalSupply()
When totalAssets > 0, the attacker can
depositandwithdrawagain and again, and the attacker will always getshareuntil totalAssets = 0.Tools Used
vscode, manual
Recommended Mitigation Steps
Modify the way rewards are distributed.
Assessed type
Error