search

hats-finance / Velvet-Capital-0x0bb0c08fd9eeaf190064f4c66f11d18182961f77

Core smart contracts of Velvet Capital
Other
0 stars 1 forks source link

Vault deployer can mint unlimited tokens to himself at vault initialization #63

Open hats-bug-reporter[bot] opened 1 week ago

hats-bug-reporter[bot] commented 1 week ago

Github username: @0xfuje Twitter username: 0xfuje Submission hash (on-chain): 0x6aac67f00d2c3d7d70f3cc7e0a7b6978bb07ad16f5410014feb0e7fa7d956e00 Severity: medium

Description:

Impact

Description

The asset manager can decide to seriously inflate the token value of PortfolioToken by setting the initialPortfolioAmount to a very high number at initialization of the vault and then deposit minimal amount of funds to mint these funds to their own address.

VaultManager.sol - _depositAndMint()

  function _depositAndMint(
    address _depositFor,
    uint256 _minMintAmount,
    uint256 _depositRatio
  ) internal {
    uint256 _totalSupply = totalSupply();

    uint256 tokenAmount;

    // If the total supply is zero, this is the first deposit, and tokens are minted based on the initial amount.
    if (_totalSupply == 0) {
      tokenAmount = assetManagementConfig().initialPortfolioAmount(); 
      // Reset the high watermark to zero if it's not the first deposit.
      feeModule().updateHighWaterMark(0);
    } else {
      // Calculate the amount of portfolio tokens to mint based on the deposit.
      tokenAmount = _getTokenAmountToMint(_depositRatio, _totalSupply);
    }

    // Ensure the minted amount meets the user's minimum expectation to mitigate slippage.
    _verifyUserMintedAmount(tokenAmount, _minMintAmount);

    // Mint the calculated portfolio tokens to the user, applying any cooldown periods.
    tokenAmount = _mintTokenAndSetCooldown(_depositFor, tokenAmount);

    uint256 userBalanceAfterDeposit = balanceOf(_depositFor);
    // Notify listeners of the deposit event.
    emit Deposited(
      address(this),
      _depositFor,
      tokenAmount,
      userBalanceAfterDeposit
    );
  }

This is because there is no upper limit enforced at the PortfolioFactory vault deployment and in updateInitialPortfolioAmount() for the maximum initial portfolio amount.

Recommendation

Consider to introduce a variable maximumInitialPortfolioAmount in ProtocolConfig that and enforce that initialPortfolioAmount is below this in both at portfolio deployment and in updateInitialPortfolioAmount().

langnavina97 commented 1 week ago

This will be set before the user invests for the first time, allowing them to make an informed decision about whether to invest or not. @0xfuje