search

hats-finance / Intuition-0x538dbadc50cc87b281cd655f1edbc6ebda02a66a

The smart contracts of the Intuition protocol v1.
https://intuition.systems
Other
0 stars 1 forks source link

In `_depositOnVaultCreation`, `totalAssets` is incremented by shares rather than assets #74

Open hats-bug-reporter[bot] opened 2 days ago

hats-bug-reporter[bot] commented 2 days ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0xc4f119a4045fa21a13f7f2a8d6f1c9796d5a179a87c0df0b70828b2b7460ecd1 Severity: high

Description: Description\ Upon creation of an Atom, a user can be the first depositor in the Atom they've created using _depositOnVaultCreation.

Let's take a deeper look in _depositOnVaultCreation:

For easier explanation, let's assume 5 assets = 1 share;

_setVaultTotals is executed inside _depositOnVaultCreation to increase the totalAssets and totalShares after the deposit. The problem here is both totalAssets and totalShares are increased with the totalDelta amount which holds the user's shares. 

        uint256 totalDelta = isAtomWallet ? sharesForReceiver : sharesForReceiver + sharesForZeroAddress;

        // set vault totals for the vault
        _setVaultTotals(id, vaults[id].totalAssets + totalDelta, vaults[id].totalShares + totalDelta);

Attack Scenario\ If a user deposits 5 ETH, the totalAssets should be increased with 5 and totalShares with only 1.

However, the totalAssetswill be increased with only 1 making the user at a loss.

Attachments

  1. Proof of Concept (PoC) File

  2. Revised Code File (Optional)

-        // set vault totals for the vault _setVaultTotals(id, vaults[id].totalAssets + totalDelta, vaults[id].totalShares + totalDelta);

+        // set vault totals for the vault _setVaultTotals(id, vaults[id].totalAssets + assets, vaults[id].totalShares + totalDelta);