Open sherlock-admin opened 5 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
valid: rounding error: medium(7)
The protocol team fixed this issue in PR/commit https://github.com/napierfi/v1-pool/pull/158.
The Lead Senior Watson signed off on the fix.
xiaoming90
medium
swapUnderlyingForYt
revert due to rounding issuesSummary
The core function (
swapUnderlyingForYt
) of the Router will revert due to rounding issues. Users who intend to swap underlying assets to YT tokens via the Router will be unable to do so.Vulnerability Detail
The
swapUnderlyingForYt
allows users to swap underlying assets to a specific number of YT tokens they desire.https://github.com/sherlock-audit/2024-01-napier/blob/main/v1-pool/src/NapierRouter.sol#L353
Line 353-354 above compute the number of underlying deposits needed to send to the Tranche to issue the amount of YT token the users desired. It attempts to add a buffer of 0.01 bps buffer to prevent rounding errors that could lead to insufficient PT being repaid to the pool and result in a revert. During the audit, it was found that this buffer is ineffective in achieving its purpose.
The following example/POC demonstrates a revert could still occur due to insufficient PT being repaid despite having a buffer:
Let the state be the following:
The following computes the number of underlying assets to be transferred to the Tranche to mint/issue PY + YT
Subsequently, the code will perform a flash-swap via the
swapPtForUnderlying
function. It will borrow 123 PT from the pool, which must be repaid later.In the swap callback function, the code will transfer 118 underlying assets to the Tranche and execute the
Tranche.issue
function to mint/issue PY + YT.Within the
Tranche.issue
function, it will trigger theadapter.prefundedDeposit()
function to mint the estETH/shares. The following is the number of estETH/shares minted:Next, Line 219 below of the
Tranche.issue
function will compute the number of PY+YT to be issued/mintedhttps://github.com/sherlock-audit/2024-01-napier/blob/main/napier-v1/src/Tranche.sol#L219
At the end of the
Tranche.issue
function, 122 PY + YT is issued/minted back to the Router.Note that 123 PT was flash-loaned earlier, and 123 PT needs to be repaid. Otherwise, the code at Line 164 below will revert. The main problem is that only 122 PY was issued/minted (a shortfall of 1 PY). Thus, the swap TX will revert at the end.
https://github.com/sherlock-audit/2024-01-napier/blob/main/v1-pool/src/NapierRouter.sol#L164
Impact
The core function (swapUnderlyingForYt) of the Router will break. Users who intend to swap underlying assets to YT tokens via the Router will not be able to do so.
Code Snippet
https://github.com/sherlock-audit/2024-01-napier/blob/main/v1-pool/src/NapierRouter.sol#L353
Tool used
Manual Review
Recommendation
The buffer does not appear to be the correct approach to manage this rounding error. One could increase the buffer from 0.01% to 1% and solve the issue in the above example, but a different or larger number might cause a rounding error to surface again. Also, a larger buffer means that many unnecessary PTs will be issued.
Thus, it is recommended that a round-up division be performed when computing the
uDepositNoFee
anduDeposit
using functions such asdivWadUp
so that the issued/minted PT can cover the debt.