GPSFunding::buyShares First depositor inflation attack
Summary
An early LP can use a direct donation to the pool to ensure that later share buyers end up with less shares due to rounding.
Vulnerability Detail
An early LP can mint some amount of shares, at least 1000 as seen in GSPVault::_mint.
Then by withdrawing 999 shares, totalSupply == 1. The LP donates a sizeable amount to the pool in each token: 1k$ for quote and for base.
The next depositors, will have to mint at least 1000 shares (e.g. 1M$ in value), and by doing so, can be rounded down by 1k$ of value, which inflates value of the shares of the initial depositor.
Impact
Initial depositor forces subsequent depositors to supply at a lowered (rounded down) value, inflating the value of his own shares
cergyk
medium
GPSFunding::buyShares First depositor inflation attack
Summary
An early LP can use a direct donation to the pool to ensure that later share buyers end up with less shares due to rounding.
Vulnerability Detail
An early LP can mint some amount of shares, at least
1000
as seen inGSPVault::_mint
. Then by withdrawing 999 shares,totalSupply == 1
. The LP donates a sizeable amount to the pool in each token: 1k$ for quote and for base.The next depositors, will have to mint at least
1000
shares (e.g. 1M$ in value), and by doing so, can be rounded down by 1k$ of value, which inflates value of the shares of the initial depositor.Impact
Initial depositor forces subsequent depositors to supply at a lowered (rounded down) value, inflating the value of his own shares
Code Snippet
https://github.com/sherlock-audit/2023-12-dodo-gsp/blob/main/dodo-gassaving-pool/contracts/GasSavingPool/impl/GSPFunding.sol#L67-L68
Tool used
Manual Review
Recommendation
For reference, some solutions are discussed for the vault standard erc4626 here: https://docs.openzeppelin.com/contracts/4.x/erc4626#inflation-attack
Duplicate of #55