Open sherlock-admin opened 1 year ago
Escalate for 1 USDC
This leads to material loss of funds. Definitely high risk
Escalate for 1 USDC
This leads to material loss of funds. Definitely high risk
You've created a valid escalation for 1 USDC!
To remove the escalation from consideration: Delete your comment. To change the amount you've staked on this escalation: Edit your comment (do not create a new comment).
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Escalation accepted
Escalation accepted
This issue's escalations have been accepted!
Contestants' payouts and scores will be updated according to the changes made on this issue.
0xRajeev
high
Anyone can deposit and mint withdrawal proxy shares to capture distributed yield from borrower interests
Summary
Anyone can deposit and mint Withdrawal proxy shares by directly interacting with the base
ERC4626Cloned
contract's functions, allowing them to capture distributed yield from borrower interests.Vulnerability Detail
The
WithdrawProxy
contract extends theERC4626Cloned
vault contract implementation. TheERC4626Cloned
contract has the functionality to deposit and mint vault shares. Usually, withdrawal proxy shares are only distributed via theWithdrawProxy.mint
function, which is only called by thePublicVault.redeemFutureEpoch
function. Anyone can deposit WETH into a deployed Withdraw proxy to receive shares, wait until assets (WETH) are deposited via thePublicVault.transferWithdrawReserve
orLiquidationAccountant.claim
function and then redeem their shares for WETH assets.Impact
By depositing/minting directly to the Withdraw proxy, one can get interest yield on-demand without being an LP and having capital locked for epoch(s). This may potentially be timed in a way to deposit/mint only when we know that interest yields are being paid by a borrower who is not defaulting on their loan. The returns are diluted for the LPs at the expense of someone who directly interacts with the underlying proxy.
Code Snippet
Tool used
Manual Review
Recommendation
Overwrite the
ERC4626Cloned.afterDeposit
function and revert to prevent public deposits and mints.