saian - Pool.deposit will revert if tokens are transferred directly to the pool

[github-actions[bot]]

saian

medium

Pool.deposit will revert if tokens are transferred directly to the pool

Summary

Pool.deposit will revert if tokens are transferred directly to the pool

Vulnerability Detail

In Pool.deposit share for the deposited amount is calculated in function tokenToShares.

function tokenToShares (uint _tokenAmount, uint _supplied, uint _sharesTotalSupply, bool roundUpCheck) internal pure returns (uint) {
    if(_supplied == 0) return _tokenAmount;
    uint shares = _tokenAmount * _sharesTotalSupply / _supplied;
    if(roundUpCheck && shares * _supplied < _tokenAmount * _sharesTotalSupply) shares++;
    return shares;
}

The shares is calculated based on the total shares, total token amount. If the contract balance tokens is 0, then the input _tokenAmount is returned. So a user can transfer tokens directly to a newly deployed pool which will result in 0 shares.

And the deposit function will revert when share amount is 0.

        require(_shares > 0, "Pool: 0 shares");

Impact

User are prevented from deposited into the pool

Code Snippet

function tokenToShares (uint _tokenAmount, uint _supplied, uint _sharesTotalSupply, bool roundUpCheck) internal pure returns (uint) {
    if(_supplied == 0) return _tokenAmount;
    uint shares = _tokenAmount * _sharesTotalSupply / _supplied;
    if(roundUpCheck && shares * _supplied < _tokenAmount * _sharesTotalSupply) shares++;
    return shares;
}

Tool used

Manual Review

Recommendation

    function tokenToShares (uint _tokenAmount, uint _supplied, uint _sharesTotalSupply, bool roundUpCheck) internal pure returns (uint) {
      - if(_supplied == 0) return _tokenAmount;
      + if( _sharesTotalSupply == 0) return _tokenAmount;
        uint shares = _tokenAmount * _sharesTotalSupply / _supplied;
        if(roundUpCheck && shares * _supplied < _tokenAmount * _sharesTotalSupply) shares++;
        return shares;
    }

Duplicate of #86