0xRizwan
commented
2 weeks ago Its a known issue to protocol team and contract deployer would be first depositor.
Open hats-bug-reporter[bot] opened 2 weeks ago
0xRizwan
commented
2 weeks ago Its a known issue to protocol team and contract deployer would be first depositor.
ilzheev
commented
2 weeks ago wstToken contracts are deployed by the team, so it's not possible to execute this attack.
Github username: -- Twitter username: -- Submission hash (on-chain): 0x0553608ce8e40629359847ddd94c719948d6de3c4fc62a21d86af6dac5348ca3 Severity: high
Description: Description\ First depositer attack that leads to loss of user funds
Attack Scenario\ Attacker donate big amount of assets to the wstToken contract.
Attacker calls https://github.com/hats-finance/Accumulated-finance-0x75278bcc0fa7c9e3af98654bce19[…]fea3cdcd7693e95c7ddcfa4c79df9b5fa715aafc/contracts/wstToken.sol the syncRewards() function before any mint or deposit have happened.
Attacker calls mint for 1 wei of assets and gets 1 share. but the share value is for all the assets in the contract.
Because in the first mint you just get in shares the amount of assets you transfer. but from now the ratio is for the storedTotalAssets which has the donation. then we have an inflated value of the shares which will cause to rounding down the amount of shares the users get. if 1 share is worth 10^20 all the rounding will go to the first depositor, for example 1.910^20 assets will get 1 share and the value of the second user will be 1.4510^20 instead of his 1.9*10^20 assets. the attacker will get the difference.
for any call the the deposit function if the user gets at least 1 share (with the inflated rate) the rest will be rounded to the attacker favor.
fix: add a minimal first deposit and lock some of the shares of the first deposit so the total shares will never be very small.