Open hats-bug-reporter[bot] opened 4 hours ago
splitFromDai
/ splitFromBase
are expected to be called for a market with parentCollectionId == 0
(otherwise you are spliting a child market, and child markets are not splitted using sDAI but using an outcome token of the parent market)
Github username: -- Twitter username: -- Submission hash (on-chain): 0xfd1b6a2195121b5e5e259ad753c910848eafc59e45d8fc1f2c430ba0b651c11d Severity: high
Description: Description\ The current implementation allows users to use split functionality to split their one position into two separate positions. However, if the split happens after we’ve already split the first parent position, the funds will still be taken from the user resulting in an unexpected revert (if the user has no more funds to deposit) making the split inaccessible for this particular user or in an excessive taking of funds as every split will transfer funds from the user.
Attack Scenario\
Let’s consider the following scenario:
sDAI
(in the case of theMainnetRouter
) or in asavingsXDaiAdapter
(in the case of theGnosisRouter
) contracts.splitFromBase()
function in theGnosisRouter
, the user is not able to make a split at all if he hasn’t deposited any more funds.Attachments To initiate a split operation, the user has to either call
splitFromBase()
in theGnosisRouter
orsplitFromDai()
in theMainnetRouter
:MainnetRouter.sol::31-37
GnosisRouter.sol::28-35
The problem is that the contract currently take funds from the users every time not making sure that the
parentCollectionId
for this split is equal to 0 (meaning it’s the first slip). Therefore, this situation (when `parentCollectionId != 0) is incorrectly handled:Router.sol::56-64
As a result, the users will not be able to make more splits other than one (the first split) without depositing additional funds facing either tx revert or transferring more funds than expected into the protocol (effectively losing them).
Recommendation Take the funds from the user for splitting only in the case when
parentCollectionId == 0
.