Open c4-bot-2 opened 2 weeks ago
However, it is possible that s_poolAssets is zero. When users are minting short positions (equivalent to minting UniswapV3 LP), tokens are sent to UniswapV3. If the amount of tokens happens to be exactly the remainder asset of a CollateralTracker, the updated s_poolAssets would turn to zero.
Good point. This only happens when you can't withdraw anyway though, so this is more of a quirk/incorrect as to spec Low severity issue I think.
At first sight I think @dyedm1 is right !
Picodes changed the severity to QA (Quality Assurance)
Picodes marked the issue as grade-a
Picodes marked the issue as selected for report
For awarding purposes, C4 staff have marked as 1st place
.
Lines of code
https://github.com/code-423n4/2024-09-panoptic/blob/main/contracts/CollateralTracker.sol#L489 https://github.com/code-423n4/2024-09-panoptic/blob/main/contracts/CollateralTracker.sol#L593
Vulnerability details
Impact
CollateralTracker is a ERC4626 compliant vault. However, in some cases, the maxWithdraw/maxRedeem functions may revert.
Bug Description
According to the README:
Panoptic’s CollateralTracker supports the full ERC4626 interface
. In the scope of this audit contest, a new change was introduced when calculating maxWithdraw/maxRedeem that it usess_poolAssets - 1
as available asset balance since there was 1 wei of virtual balance in the beginning.However, it is possible that
s_poolAssets
is zero. When users are minting short positions (equivalent to minting UniswapV3 LP), tokens are sent to UniswapV3. If the amount of tokens happens to be exactly the remainder asset of a CollateralTracker, the updateds_poolAssets
would turn to zero. `Proof of Concept
Presented above.
Tools Used
Manual Review
Recommended Mitigation Steps
For both functions, if
s_poolAssets == 0
, simply return 0.Assessed type
ERC4626