Open hats-bug-reporter[bot] opened 3 months ago
Seems like a mistake on my part as it is expected behavior, just saw it in the docs, the issue can be closed.
Upon review, we confirm that the behavior described in the report is indeed intended and documented. Here are the key points:
In conclusion, the system works as intended, and this issue can be closed.
Github username: -- Twitter username: iamandreiski Submission hash (on-chain): 0xc1de819c997a15e9cee77e504a3ca5cddd182703532cabeac1882dac65fd012d Severity: medium
Description: Description/
When users deposit or redeem either Atom or Triple, there can be entry or exit fees. In both cases the fees are accounted towards the vault assets. Since entry fees are charged only when the vault is empty, in this case we'll focus on the exit fees.
When a user redeems, the
getRedeemAssetsAndFees()
function determines the amount of fees that a user will pay. The exit fee amount is never subtracted from the total vault assets and it will remain as part of it, even though shares which correlate to its part were burned during the redemption.Attack Scenario/
When a user decides to redeem Atom or Triple, they will choose the respective function, which will subsequently call the
_redeem()
function:When
getRedeemAssetsAndFees()
is examined:When it comes to
assetsForReceiver
which the_setVaultTotals
uses to account for vault assets, it's the asset amount without the exit and the protocol fee. When_setVaultTotals()
is invoked to update the totalAsset values, it accounts for theassetsForReceiver
and the protocol fee, but the exitFee will remain as part of the totalAssets in the vault, even though corresponding shares for it were burned when later burn was invoked:Attachments
Proof of Concept (PoC) File
Revised Code File (Optional)