Wrong logic in PoolBalances._receivePortfolio() will cause double loss of received amount of tokens
Summary
There is wrong logic when setting portfolio in _receivePortfolio() function.
Vulnerability Detail
The problem is in _setPortfolio() which is used to set portfolio in _receivePortfolio() function.
function _receivePortfolio(address token, address sender, uint256 amount) internal virtual {
AddressUtils.checkNotZero(token);
AddressUtils.checkNotZero(sender);
_checkAmountPositive(amount);
_require(sender != address(this), Errors.SENDER_INVALID);
uint256 portfolio = _getPortfolio(token);
_require(amount <= portfolio, Errors.AMOUNT_INVALID);
_setPortfolio(token, portfolio - amount);//@audit-info here the received `amount` is deducted from the prev portfolio bal
IERC20(token).safeTransferFrom(sender, address(this), amount);
emit PortfolioReceived(token, sender, amount);
The loss happens in two ways.
The received amount is unaccounted for when updating the portfolio balance via _setPortfolio(). So the amount of tokens received via the _receivePortfolio() function vanishes and is not updated in the portfolio mapping.
mapping(address => uint256) internal _portfolio;
The received amount is deducted from previous Portfolio balance.
_setPortfolio(token, portfolio - amount);
Therefore received amount is lost and prev portfolio balance - amount is lost.
Impact
The received amount vanishes and the prev portfolio balance gets deducted with amount.
PRAISE
high
Wrong logic in PoolBalances._receivePortfolio() will cause double loss of received amount of tokens
Summary
There is wrong logic when setting portfolio in _receivePortfolio() function.
Vulnerability Detail
The problem is in _setPortfolio() which is used to set portfolio in _receivePortfolio() function.
The loss happens in two ways.
The received
amount
is unaccounted for when updating the portfolio balance via _setPortfolio(). So the amount of tokens received via the _receivePortfolio() function vanishes and is not updated in the portfolio mapping.The received
amount
is deducted from previous Portfolio balance.Therefore received
amount
is lost and prev portfolio balance -amount
is lost.Impact
The received
amount
vanishes and the prev portfolio balance gets deducted withamount
.thereby causing double loss of tokens
Code Snippet
https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/PoolBalances.sol#L73
Tool used
Manual Review
Recommendation
add the received
amount
to prev portfolio balance, don't deduct.