Open hats-bug-reporter[bot] opened 1 week ago
This report is invalid due to the following reasons:
depositTriple
function correctly verifies whether a vault is a triple vault using the isTripleId
function, which checks both positive and counter vaults. The logic is thoroughly tested and proven correct.isTripleId
function works as expected, confirming that deposits to negative triple vaults are handled correctly.In conclusion, the current implementation is correct and validated through testing. Therefore, this issue is invalid.
Github username: -- Twitter username: iamandreiski Submission hash (on-chain): 0x3b762ca5b95c3efb5e16773f86a6525d10133a9dd18c03352c68d60a257fbbff Severity: medium
Description: Description
Users will never be able to deposit into the negative Triple vault due to
isTriple
never being set to true for the negative vault during Triple creation.Attack Scenario
When a new Triple is created
_createTriple()
is invoked which among other things sets theisTriple
astrue
for the newly created Triple vault id:When a counter/negative vault is created after _depositOnVaultCreation` is called, here if the id of the vault is "Triple" it calculates its negative/counter vault and deposits ghost shares to it:
The problem is, whenever users want to deposit to the counter vault, they can't as the following condition in
depositTriple
will always fail:Here is how
isTripleId(id)
is decided:Since the vault in which users want to deposit will be a counterTriple or its id would be above type(uint256).max / 2, it will check whether isTriple[type(uint256).max - id] is
true
, but since it was never set to true when creating the Triple vault, it will always return false.Attachments
Proof of Concept (PoC) File
Revised Code File (Optional)