Open hats-bug-reporter[bot] opened 1 year ago
In mintShares
we call updateState
that syncs the fee before new osToken shares are minted.
So when _osToken.cumulativeFeePerShare
is called it will return the correct value as timeElapsed
will be 0.
Github username: @koolexcrypto Submission hash (on-chain): 0xeedef2c48b3ee2d09c092957352ed6acb8875851b45a1c7a4c4414558406d3ef Severity: high
Description:
Description
On
mintOsToken
, when OsToken position > 0,_syncPositionFee
is called but only after minting OsTokenShares. This causes inaccurate treasury fee added to the position and it is unfair to the minter. because minting OsTokenShares increases_totalAssets
of OsToken which impact how treasury fee is calculated.Attack Scenario
There is not an attack here. It is actually a loss for the minter.
Bob mints 1 OsToken.
Position shares now is greater than 0.
Some time passes (e.g. 1 day).
Bob mints 1000 OsToken.
1000 osToken shares are minted which increases _totalAssets of OsToken
Now,
_syncPositionFee
is called which calls_osToken.cumulativeFeePerShare
._osToken.cumulativeFeePerShare
is calculating the rewards (i.e. profitAccrued) by calling_unclaimedAssets
._unclaimedAssets
calculates the rewards based on many variables including_totalAssets
as follows:Code link
Since _totalAssets is bigger, the returned rewards will be bigger.
because of this, a bigger treasury fee will be added to the minter position which is not fair as the user just minted the 1000 OsToken and it shouldn't be considred in the treasury fee calculation.
Attachments
mintOsToken
method where minting osToken shares occurs before_syncPositionFee
Code link
-
_unclaimedAssets
which considers_totalAssets
for rewards calculationCode link
Recommended Mitigation
Sync the position before minting the shares. So, the user doesn't receive unfair additional treasury fee added to the position.