User Will loose their tokens if they deposit the same amount of Quote token as the Maintainer Fee
Summary
Due to the way the buyShares Function is written when a user transfers their tokens into the contract, the maintainer fee is subtracted from the balance to account for it, but in a particular situation, where the depositor sends the same amount of quote tokens to the GSP contract, they will get zero shares and will loose their tokens.
In the buyShares function, the calculation of how many shares to mint for the user is shown below,
function buyShares(address to)
external
nonReentrant
returns (
uint256 shares,
uint256 baseInput,
uint256 quoteInput
)
{
uint256 baseBalance = _BASE_TOKEN_.balanceOf(address(this)) - _MT_FEE_BASE_;
uint256 quoteBalance = _QUOTE_TOKEN_.balanceOf(address(this)) - _MT_FEE_QUOTE_;
//@audit Over here the issue presents itself, when the depositor, sends tokens to the contract and the balance is calaculated this, way if the user sends the same amount of Maintaner fee for the quote token, the quote balance will essentially be zero
uint256 baseReserve = _BASE_RESERVE_;
uint256 quoteReserve = _QUOTE_RESERVE_;
baseInput = baseBalance - baseReserve;
quoteInput = quoteBalance - quoteReserve;
//@audit When the input is calculated the base input is calculated normally, as the user sent a normal amount, but over here the quote input will essentially be zero as there is no reserves yet
require(baseInput > 0, "NO_BASE_INPUT");
//@audit The Require statement does not check for the value of quote token before proceeding and continues the function,
But because of how the function works it will not revert but mint zero shares, for the user, The calculations uses mint ratio and if the quote ratio is zero the amount of shares to mint will also be zero. The snippet below will show reason why the function will mint zero
A More Robust Deposit system should be implemented, like a check to make sure the amount of quote tokens sent to the contract is not the same as the Maintainer fee, and also a value that updates as the Maintainer fee increases to check if the tokens sent are equals to to the maintainer fee, to prevent loss of funds
inzinko
high
User Will loose their tokens if they deposit the same amount of Quote token as the Maintainer Fee
Summary
Due to the way the
buyShares
Function is written when a user transfers their tokens into the contract, the maintainer fee is subtracted from the balance to account for it, but in a particular situation, where the depositor sends the same amount of quote tokens to theGSP
contract, they will get zero shares and will loose their tokens.Vulnerability Detail
https://github.com/sherlock-audit/2023-12-dodo-gsp/blob/main/dodo-gassaving-pool/contracts/GasSavingPool/impl/GSPFunding.sol#L25C4-L82C6
In the
buyShares
function, the calculation of how many shares to mint for the user is shown below,But because of how the function works it will not revert but mint zero shares, for the user, The calculations uses mint ratio and if the quote ratio is zero the amount of shares to mint will also be zero. The snippet below will show reason why the function will mint zero
Impact
Loss of Quote Tokens For The User
Code Snippet
Tool used
Manual Review
Recommendation
A More Robust Deposit system should be implemented, like a check to make sure the amount of quote tokens sent to the contract is not the same as the Maintainer fee, and also a value that updates as the Maintainer fee increases to check if the tokens sent are equals to to the maintainer fee, to prevent loss of funds