Open hats-bug-reporter[bot] opened 1 year ago
When exit queue update is called it decreases _totalAssets and _totalShares proportionally, so it shouldn't affect the conversion rate. It's like someone withdraws before you deposit, the rate should stay the same.
Github username: @koolexcrypto Submission hash (on-chain): 0x6c3df3b22dba0a43196420ab376acaa349eae6d70a7f87fcf3b800fb885e6bb2 Severity: high
Description:
Description
_deposit
method is used to process user deposits. The user deposits ETH and receives shares. The received shares is calculated (with rounding up) as follows:shares = assets * totalShares / _totalAssets
This is done by calling
_convertToShares
Code link
Please note that before calculating the amount of shares,
_checkHarvested
is called to check whether the vault is harvested.Code link
This is to ensure an accurate and fair price of the share before the deposit as
_totalAssets
and_totalShares
are likely to be updated when harvesting. However,_totalAssets
and_totalShares
could possibly be updated when updating the exit queue and there is no check if the exist queue can be updated. Therefore, the share price could possibly be inaccurate which is unfair. The only case where the issue doesn't occur is when callingupdateStateAndDeposit
. Otherwise, all deposits that come via callingdeposit
or by sending ETH directly to the contract (which triggers the fallback that calls_deposit
) are vulnerable to inaccurate share price.Attack Scenario
_totalAssets
and_totalShares
were updated._updateExitQueue
) which results in an unfair distribution of shares.Attachments
deposit
method and fallback which calls_deposit
Code link: deposit Code link: receive
_deposit
method where_checkHarvested
is called but no check if exist queue can be updatedCode link
_updateExitQueue
method where_totalShares
and_totalAssets
could possibly be updatedCode link
_convertToShares
method for conversion from assets to shares.Code link
Note: I've set the severity to high due to the fact that exist queue shares could be big within 24 hours. Therefore, causing unfairness in the protocol that's non-negligible.
Recommend mitigation
In
_deposit
, call_updateExitQueue
if exist queue can be updated before any calculation of the amount of sharesAn example: