Price manipulation can lead to users lossing funds
Summary
Early malicious user will profit from future users' deposits while future users' will loose funds/value.
Vulnerability Detail
An early user can call the deposit function of vaults with only 1 wei of the asset and respectively get 1 wei of the shares in return. After that the attacker may send 10000 * 10 ** 18 wei of the asset to inflate the share price from 1 to 1 * 10 ** 22 ((1 + 10000e18 - 1) / 1) The next user who deposits some amount of asset will receive significatly less shares - if the next user deposits 20000 * 10 ** 18 wei of the asset they will receive only 2 wei of shares which means they have lost half of their money if they claim right after that.
When creating the vault add initial funds in order to make it harder to inflate the price.
Best practice would add initial funds as part of the initialization of the contract (to prevent front-running).
0xSmartContract
high
Price manipulation can lead to users lossing funds
Summary
Early malicious user will profit from future users' deposits while future users' will loose funds/value.
Vulnerability Detail
An early user can call the deposit function of vaults with only 1 wei of the asset and respectively get 1 wei of the shares in return. After that the attacker may send
10000 * 10 ** 18 wei
of the asset to inflate the share price from1 to 1 * 10 ** 22 ((1 + 10000e18 - 1) / 1)
The next user who deposits some amount of asset will receive significatly less shares - if the next user deposits20000 * 10 ** 18
wei of the asset they will receive only 2 wei of shares which means they have lost half of their money if they claim right after that.Impact
Code Snippet
Vault.vy#L219-L222
Tool used
Manual Review
Recommendation
When creating the vault add initial funds in order to make it harder to inflate the price. Best practice would add initial funds as part of the initialization of the contract (to prevent front-running).
Duplicate of #71