search

hats-finance / StakeWise-0xd91cd6ed6c9a112fdc112b1a3c66e47697f522cd

Liquid staking protocol for Ethereum
Other
0 stars 0 forks source link

When the vault capacity is reached, user cannot deposit ETH to make his account healthy #105

Open hats-bug-reporter[bot] opened 1 year ago

hats-bug-reporter[bot] commented 1 year ago

Github username: @JeffCX Submission hash (on-chain): 0x3ebb48540b920995a22e6f1f0d4d48bce2d1ad3687238cf86e9ca3a8e54c163c Severity: medium

Description: Description\

When the vault capacity is reached, user cannot deposit ETH to make his account healthy

Attack Scenario\

In the current implementation,

the vault admin can permissionless deploy the vault and set the vault capacity

the amount of user deposit is capped by the vault capacity and the vault capacity cannot be changed

after user deposit ETH to mint vault share, user can also choose to mint OSToken to increase the position share

when user hold the OSToken, user may subject to liquidation

to make account health,

user have two option

  1. user can deposit more ETH
  2. user can burn OSToken to reduce the position.shares

once the vault capcity is reached, option one is gone

user cannot deposit more ETH (add more collateral) to make account health

the only option left for user is to burn OSToken to reduce the shares

but the problem is that fee is still accumulated in the position.shares even when user cannot deposit more ETH when position.shares is burned in BurnOSTOken

  function _syncPositionFee(OsTokenPosition memory position) private view {
    // fetch current cumulative fee per share
    uint256 cumulativeFeePerShare = _osToken.cumulativeFeePerShare();

    // check whether fee is already up to date
    if (cumulativeFeePerShare == position.cumulativeFeePerShare) return;

    // add treasury fee to the position
    position.shares = SafeCast.toUint128(
      Math.mulDiv(position.shares, cumulativeFeePerShare, position.cumulativeFeePerShare)
    );
    position.cumulativeFeePerShare = SafeCast.toUint128(cumulativeFeePerShare);
  }

so user can never burn the full position.shares and force to consistently pay the fee and this may just leads to liquidation

user cannot really wait for someone to redeem / withdraw to make the vault balance not hit the capactiy because liqudation can comes first once the position.shares appliess

Attachments

  1. Proof of Concept (PoC) File

described above

  1. Revised Code File (Optional)

make the vault capacity adjustable and always give user option to increase the ETH collateral

tsudmi commented 1 year ago

There was already similar issue. You can always burn osETH or buy it from the secondary market to increase your position health or withdraw

JeffCX commented 1 year ago

There was already similar issue. You can always burn osETH or buy it from the secondary market to increase your position health or withdraw

but in that case,

user is forced to pay the fee because the fee always applies to user's position.shares

also I did not see any similar submission before o(╥﹏╥)o before the last 105 submission