sherlock-admin2
commented
1 year ago 1 comment(s) were left on this issue during the judging contest.
Trumpero commented:
low, few weis lost due to rounding error
Closed sherlock-admin2 closed 1 year ago
sherlock-admin2
commented
1 year ago 1 comment(s) were left on this issue during the judging contest.
Trumpero commented:
low, few weis lost due to rounding error
hassan-truscova
medium
Initial user of LMPVault can abuse rounding error to steal tokens
Summary
Similar to the well known attack vector - TOB-YEARN. ERC4626 vault contracts suffer from a commonly known vulnerability due to division rounding. The initial user can massively skew the ratio of shares to assets with a large"donation", and can profit off of later users.
Vulnerability Detail
In LMPVault, the deposit function has no minimum deposit limit or burn. It calls
previewDeposit()with_convertToShares(assets, Math.Rounding.Down)to calculate the number of shares. This function_convertToShares()takes into account the totalAssets() returning the sum oftotalIdleandtotalDebt.However, due to rounding errors, an attacker who deposits to a fresh vault can skew the ratio by transferring in a large quantity of TOKE tokens by following these steps.
Impact
Exploit by first user of vault. Loss of tokens by other users
Code Snippet
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVault.sol#L332-L344
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVault.sol#L328-L330
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVault.sol#L587-L592
Tool used
Manual Review + in-house tool
Recommendation
Burn the first (if totalSupply() == 0) 10000wei of minted shares by sending them to address 0. This will make the cost to pull of this attack unfeasible.