VaultManager does not properly enforce _minMintAmount
Issue details
When depositing user inputs _minMintAmount which is the least amount of PortfolioToken they're willing to accept. However, if we look at the code of _depositAndMint, we'll see that the min mint check is done before fees are charged.
// Ensure the minted amount meets the user's minimum expectation to mitigate slippage.
_verifyUserMintedAmount(tokenAmount, _minMintAmount);
// Mint the calculated portfolio tokens to the user, applying any cooldown periods.
tokenAmount = _mintTokenAndSetCooldown(_depositFor, tokenAmount);
This would allow for a user to receive less tokens than the minimum they've specified, breaking a core invariant
Attachments
Github username: @deadrosesxyz Twitter username: @deadrosesxyz Submission hash (on-chain): 0x1d56f602663c938c639dbf2b33efd6e3f995ab80fc5aea82d8e39fa8ec246dcf Severity: medium
Description: Description
VaultManager does not properly enforce
_minMintAmount
Issue details
When depositing user inputs
_minMintAmount
which is the least amount ofPortfolioToken
they're willing to accept. However, if we look at the code of_depositAndMint
, we'll see that the min mint check is done before fees are charged.This would allow for a user to receive less tokens than the minimum they've specified, breaking a core invariant Attachments
Proof of Concept (PoC) File
Revised Code File (Optional)