search

sherlock-audit / 2023-05-perennial-judging

12 stars 9 forks source link

ak1 - BalancedVault.sol# : double count of `_pendingRedemption` during settle process. #228

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

ak1

high

BalancedVault.sol# : double count of _pendingRedemption during settle process.

Summary

Whenever the account is settled, _pendingRedemption value is double counted.

Vulnerability Detail

_settle would be called to update the status of pending redemption value, epoch and so.

It has the following codes

function _settle(address account) private returns (EpochContext memory context, EpochContext memory accountContext) { (context, accountContext) = _loadContextForWrite(account);

    if (context.epoch > _latestEpoch) {
        _delayedMint(_totalSupplyAtEpoch(context).sub(_totalSupply.add(_pendingRedemption)));
        _totalUnclaimed = _totalUnclaimedAtEpoch(context);

 if (account != address(0)) {
        if (accountContext.epoch > _latestEpochs[account]) {
            _delayedMintAccount(account, _balanceOfAtEpoch(accountContext, account).sub(_balanceOf[account].add(_pendingRedemptions[account])));

the line delayedMint(_totalSupplyAtEpoch(context).sub(_totalSupply.add(_pendingRedemption))); will determine how much need to be minted.

when we look at the _totalSupplyAtEpoch,_pendingRedemption is already added and retuned.

function _totalSupplyAtEpoch(EpochContext memory context) private view returns (UFixed18) {
    if (context.epoch == _latestEpoch) return _totalSupply.add(_pendingRedemption);
    return _totalSupply.add(_pendingRedemption).add(_convertToShares(context, _deposit));
}

But, the delayedMint is including the _pendingRedemption once again and allow for minting.

Impact

Double count of _pendingRedemption value for minting.

Code Snippet

https://github.com/sherlock-audit/2023-05-perennial/blob/main/perennial-mono/packages/perennial-vaults/contracts/balanced/BalancedVault.sol#L375-L424

https://github.com/sherlock-audit/2023-05-perennial/blob/main/perennial-mono/packages/perennial-vaults/contracts/balanced/BalancedVault.sol#L697-L700

Tool used

Manual Review

Recommendation

remove the _pendingRedemption from following lines

https://github.com/sherlock-audit/2023-05-perennial/blob/main/perennial-mono/packages/perennial-vaults/contracts/balanced/BalancedVault.sol#L379

https://github.com/sherlock-audit/2023-05-perennial/blob/main/perennial-mono/packages/perennial-vaults/contracts/balanced/BalancedVault.sol#L407