Open hats-bug-reporter[bot] opened 1 week ago
The reported issue concerning the compliance of the asset to share and share to asset conversion mechanism with ERC-4626 has been reviewed. Here is our detailed perspective:
Standards Reference: The ERC-4626 standard mentions using time-weighted mechanisms for conversion functions as a security consideration. However, it does not mandate this as a requirement, and the standard itself acknowledges the flexibility in implementation.
Design Considerations: Our implementation of the convertToShares
and convertToAssets
functions is intentional and designed to be straightforward and efficient. The use of a time-weighted average price (TWAP) is a suggestion for added robustness but not a compulsory feature.
Economic Safeguards: Our protocol includes multiple layers of economic safeguards such as protocolFees
, entryFees
, and exitFees
. These fees significantly reduce the feasibility of any manipulation attempts, making it capital-intensive and likely unprofitable.
Lack of Proof of Concept: The issue report does not provide a Proof of Concept (PoC) or any revised code files to demonstrate the alleged vulnerability. Without concrete evidence or examples of exploit scenarios, the claim remains speculative.
Conclusion: Based on the above points, we do not consider the current implementation to be non-compliant or vulnerable. The absence of time-weighted price mechanisms does not inherently pose a risk due to our economic safeguards. Therefore, we consider this issue to be invalid.
Status: This issue is invalid.
Github username: -- Twitter username: -- Submission hash (on-chain): 0x5ad0f3bda268d9823484d3daaf55a1f34a7ba6371ed7e47b652a10d2adc43005 Severity: high
Description: Description
eip-4626
security considerations (EIP)[https://eips.ethereum.org/EIPS/eip-4626#security-considerations] mentioned the usage of convert functinalities for estimaiting the amount for change needs to be done viatime-weighted
mechanism implemented inside of it otherwise it would be manipulatable.in 'ethmultivault.sol' here is the snippet of convert mechanism used without using time-weighted price and as doc said its more likely to be manipulated,
the exchange rate in convert functionalities will be manipulatable by fruntrunning deposit process and many othere ways unles it gives output with the help of time-weighted calculated results
thus it'll cause loss of funds for user