Closed sherlock-admin closed 1 year ago
3 comment(s) were left on this issue during the judging contest.
panprog commented:
invalid because convertToShares() is not callable by user
n33k commented:
invalid, not convincing without PoC
darkart commented:
The POC you gave dosen't show how you can manipulate checkpoints
feelereth
high
The convertToShares and convertToAssets functions are vulnerable to manipulation of the total shares and assets values.
Summary
The convertToShares and convertToAssets functions assume the total shares and assets can't be manipulated. But an attacker could potentially manipulate checkpoints to change these values. The calculations should check for valid, immutable values.
Vulnerability Detail
The convertToShares and convertToAssets functions are vulnerable to manipulation of the total shares and assets values.
The key issue is that these functions rely on calling totalShares() and totalAssets() to get the current total shares and assets. However, an attacker could manipulate these values by manipulating the checkpoint data.
Specifically, an attacker could:
Impact
Assets are drained
Code Snippet
https://github.com/sherlock-audit/2023-09-perennial/blob/main/perennial-v2/packages/perennial-vault/contracts/Vault.sol#L131-L132 https://github.com/sherlock-audit/2023-09-perennial/blob/main/perennial-v2/packages/perennial-vault/contracts/Vault.sol#L140-L141
Tool used
Manual Review
Recommendation
convertToShares and convertToAssets should rely on immutable values that can't be manipulated, like: