search

sherlock-audit / 2023-02-surge-judging

4 stars 1 forks source link

ak1 - pool.sol : First depositor can influence on the share value of the other depositor who may face truncation issue. #241

Closed github-actions[bot] closed 1 year ago

github-actions[bot] commented 1 year ago

ak1

medium

pool.sol : First depositor can influence on the share value of the other depositor who may face truncation issue.

Summary

This issue can be faced by almost all the pool based contract. where initial depositor can deposit big amount. This will directly influence on the share value other depositors.

Vulnerability Detail

function tokenToShares (uint _tokenAmount, uint _supplied, uint _sharesTotalSupply, bool roundUpCheck) internal pure returns (uint) {
    if(_supplied == 0) return _tokenAmount;
    uint shares = _tokenAmount * _sharesTotalSupply / _supplied;
    if(roundUpCheck && shares * _supplied < _tokenAmount * _sharesTotalSupply) shares++;
    return shares;
}

Pool calculates the share of deposit value as shown in above calculation. First user who deposit huge sum can decide the share values.

Impact

Future users can be suffered by less number of shares due to truncation issue.

Code Snippet

https://github.com/sherlock-audit/2023-02-surge/blob/main/surge-protocol-v1/src/Pool.sol#L199-L204

Tool used

Manual Review

Recommendation

During pool creation, mint/deposit some amount of initial share.

Duplicate of #125