Description:Description\
The comment on withdrawAll function states:
minOut The minimum token output. If less is returned, the transaction reverts.
The withdrawAll function contains a bug in how it checks the minOut minimum output amounts provided by the user. This could allow users to withdraw less tokens than their specified minimum.
The function withdrawAll allows burning vault tokens to withdraw proportional amounts of all assets. It takes a vaultTokens amount to burn and minOut array of minimum outputs.
The check if (minOut[it] > tokenAmount) revert ReturnInsufficient(...) compares minOut to the vault's available balance.
It does not check minOut against if the actual amounts sent to the user is not less than the specified minOut.
// Check if the user is satisfied with the output.
if (minOut[it] > tokenAmount) revert ReturnInsufficient(tokenAmount, minOut[it]);
2. **Revised Code File (Optional)**
<!-- If possible, please provide a second file containing the revised code that offers a potential fix for the vulnerability. This file should include the following information:
- Comment with a clear explanation of the proposed fix.
- The revised code with your suggested changes.
- Any additional comments or explanations that clarify how the fix addresses the vulnerability. -->
-
Github username: @ololade97 Twitter username: 97Sabit Submission hash (on-chain): 0x96043732b96e5885f6613024143e5239cc362f2d68a0f95e28014cfa8e9aebf4 Severity: high
Description: Description\ The comment on withdrawAll function states:
The withdrawAll function contains a bug in how it checks the minOut minimum output amounts provided by the user. This could allow users to withdraw less tokens than their specified minimum.
The function withdrawAll allows burning vault tokens to withdraw proportional amounts of all assets. It takes a vaultTokens amount to burn and minOut array of minimum outputs.
The check if (minOut[it] > tokenAmount) revert ReturnInsufficient(...) compares minOut to the vault's available balance.
It does not check minOut against if the actual amounts sent to the user is not less than the specified minOut.
Attachments https://github.com/catalystdao/catalyst/blob/27b4d0a2bca177aff00def8cd745623bfbf7cb6b/evm/src/CatalystVaultVolatile.sol#L452
Proof of Concept (PoC) File