This function does not have any min amount to witdraw. like how the carosul.sol has for deposit and depositETH.
when we look at the function logic, it first burns the tokens and then transfers the shares only if if (entitledShares > 0)
User can call any value to withdraw. given these type scenario, for a given small amount value the , the previewWithdraw could return zero value.
In the above scenario, user will not get anything instead the assets are burned.
ak1
medium
VaultV2.sol
:withdraw
is not providing fair logic to end user.Summary
User can call the withdraw function to widthdraw.
This function does not have any min amount to witdraw. like how the carosul.sol has for deposit and depositETH.
when we look at the function logic, it first burns the tokens and then transfers the shares only if
if (entitledShares > 0)
User can call any value to withdraw. given these type scenario, for a given small amount value the , thepreviewWithdraw
could return zero value.In the above scenario, user will not get anything instead the assets are burned.
Vulnerability Detail
in the above code snip from witdraw function, it burns assets and transfers the entitledShares only if
entitledShares > 0
Impact
loss of asset to end user.
user may not aware of this and try to call the function with minimum asset value for their need.
user may not be wanted to withdraw large amount of value always.
Code Snippet
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/VaultV2.sol#L169-L180
Tool used
Manual Review
Recommendation
update the logic as shown below,