Open hats-bug-reporter[bot] opened 1 week ago
Users can withdraw their existing funds at any time and can decide whether they want to invest after the asset manager increases the minimum token amount. @0xfuje
Thanks for the quick judging everywhere @langnavina97. True, it only affects deposits, and that doesn't have much of an impact here.
Github username: @0xfuje Twitter username: 0xfuje Submission hash (on-chain): 0x6aac67f00d2c3d7d70f3cc7e0a7b6978bb07ad16f5410014feb0e7fa7d956e00 Severity: medium
Description:
Impact
Permanent or temporary denial of service of
Portfolio
depositsDescription
The asset manager can decide to update the minimum portfolio token holding amount any time by calling the
updateMinPortfolioTokenHoldingAmount()
function. The problem is, he can abuse this functionality to set the minimum portfolio token holding amount to an unreachable number.PortfolioSettings.sol
-updateMinPortfolioTokenHoldingAmount()
This is because there is only a lower limit and no upper limit enforced for the the
minPortfolioTokenHoldingAmount
of theProtocolConfig
.Proof of Concept
Portfolio
vaultupdateMinPortfolioTokenHoldingAmount()
totype(uint256).max
_getTokenAmountToMint()
Recommendation
Consider to introduce a variable
maximumMinPortfolioTokenHoldingAmount
inProtocolConfig
that is settable by protocol admins and enforce theminPortfolioTokenHoldingAmount
can never be set above this by the asset manager.