Open hats-bug-reporter[bot] opened 11 months ago
This statement is false:
"And since the pool can receive ethers from any one directly (by direct transfer of ethers without going through the deposit process); so the eETH.totalShares() and the totalPooledEther are not necessarily 1:1."
The totalPooledEther
does not change by any direct ETH transfer to the LiquidityPool contract.
Github username: -- Twitter username: -- Submission hash (on-chain): 0x23b9bcafba7e25f79d43c2ff27224438035b75268999ab03888b375b5589354f Severity: medium
Description: Description\ Describe the context and the effect of the vulnerability.
Attack Scenario
LiquidityPool
contract depends on users depositing their ethers and gettingeETH
share tokens as a source of liquidity/funds.When a user deposits in the LP; he will be minted
eETH
shares proportional to the totalSupply of the shares tokens (eETH.totalShares()
) and the available ether balance of the pool (totalPooledEther
):LiquidityPool._deposit function
LiquidityPool._sharesForDepositAmount function
And since the pool can receive ethers from any one directly (by direct transfer of ethers without going through the deposit process); so the
eETH.totalShares()
and thetotalPooledEther
are not necessarily 1:1.for example:
eETH
, and theeETH:ETH
is 1:1 (1e18 shares are minted for 1 ether -which equals 1e18-).(_depositAmount * eETH.totalShares()) / totalPooledEther
which equals to : 1e18*1e18/3e18 = 0.33e18 = 33e16 ofeETH
share tokens.Any user wants to withdraw his asset from the pool, he must first add a withdrawal request; then withdraws.
Mitigation
LiquidityPool.withdraw function