InsuranceFund First Depositor Can Break Minting of Shares
Summary
InsuranceFund First Depositor Can Break Minting of Shares
Vulnerability Detail
This is a common first depositor issue in LP share kind of pool contract. This problem can arise in most pool-based contracts where the initial depositor can contribute a large amount of assets. This directly impacts the value of shares for other depositors.
The first depositor has the ability to create a small number of shares and then donate assets to the contract pool. This manipulation of the exchange rate can result in subsequent depositors losing funds because their share amounts are rounded down. If the total asset amount has been manipulated through a significant "donation", users may not receive the expected number of shares in exchange for their deposits.
File: InsuranceFund.sol
089: function depositFor(address to, uint amount) override public {
...
094: uint _pool = _totalPoolValue();
095: uint _totalSupply = totalSupply();
096: uint vusdBalance = balance();
097: if (_totalSupply == 0 && vusdBalance > 0) { // trading fee accumulated while there were no IF LPs
098: vusd.safeTransfer(governance(), vusdBalance);
099: _pool = 0;
100: }
101:
102: vusd.safeTransferFrom(_msgSender(), address(this), amount);
103: uint shares = 0;
104: if (_pool == 0) {
105: shares = amount;
106: } else {
107: shares = amount * _totalSupply / _pool;
108: }
109: _mint(to, shares);
...
111: }
when the pool is 0, the shares minted will be the amount
Impact
After this first deposit attack, future depositors do not get the correct share amount and thus lose funds.
bitsurfer
medium
InsuranceFund First Depositor Can Break Minting of Shares
Summary
InsuranceFund First Depositor Can Break Minting of Shares
Vulnerability Detail
This is a common first depositor issue in LP share kind of pool contract. This problem can arise in most pool-based contracts where the initial depositor can contribute a large amount of assets. This directly impacts the value of shares for other depositors.
The first depositor has the ability to create a small number of shares and then donate assets to the contract pool. This manipulation of the exchange rate can result in subsequent depositors losing funds because their share amounts are rounded down. If the total asset amount has been manipulated through a significant "donation", users may not receive the expected number of shares in exchange for their deposits.
when the pool is 0, the shares minted will be the
amountImpact
After this first deposit attack, future depositors do not get the correct share amount and thus lose funds.
Code Snippet
https://github.com/sherlock-audit/2023-04-hubble-exchange/blob/main/hubble-protocol/contracts/InsuranceFund.sol#L89-L111
Tool used
Manual Review
Recommendation
Enforce a minimum size for the initial deposit and either burn a portion of the initial shares or transfer them to a secure address.
Duplicate of #140