sherlock-admin
commented
7 months ago 1 comment(s) were left on this issue during the judging contest.
takarez commented:
valid: high(2)
Closed sherlock-admin closed 7 months ago
sherlock-admin
commented
7 months ago 1 comment(s) were left on this issue during the judging contest.
takarez commented:
valid: high(2)
xAlismx
high
ERC4626 like inflation attack on BaseLSTAdapter
Summary
BaseLSTAdapter is an ERC4626 vault and it's vulnerable to inflation attack since no mitigation has been performed to prevent it, the malicious user (first depositor) can perform an inflation attack on the adapter and inflate share price, so users that issue tokens (pt, yt) from tranche wouldn't get any pt or yt token.
Vulnerability Detail
A malicious user can mint some shares in BaseLSTAdapter and then transfer huge amounts of stEther ( if Lido adapter is used ) to the vault since he is the first depositor he won't lose anything since totalAssets has been increased significantly it can lead to a rounding error when minting new shares so when a user tries to mint pt and yt from tranche may lose assets, tranche transfers underlying assets to adapter and since share price is inflated if asset amount is not large enough it would lead to rounding error and minting 0 shares so no pt or yt would be minted through tranche for user. you can read more about this attack in the following article: https://mixbytes.io/blog/overview-of-the-inflation-attack
Impact
Loss of assets
Code Snippet
https://github.com/sherlock-audit/2024-01-napier-MehdiKarimi81/blob/3226041850e29a114ec95a722a1155e39637b89f/napier-v1/src/adapters/BaseLSTAdapter.sol#L146-L169 https://github.com/sherlock-audit/2024-01-napier-MehdiKarimi81/blob/3226041850e29a114ec95a722a1155e39637b89f/napier-v1/src/adapters/lido/StEtherAdapter.sol#L114-L117 https://github.com/sherlock-audit/2024-01-napier-MehdiKarimi81/blob/3226041850e29a114ec95a722a1155e39637b89f/napier-v1/src/Tranche.sol#L206-L225
Tool used
Manual Review
Recommendation
consider depositing some assets into the vault upon initialization. The corresponding shares are minted to the vault itself, which functions as a non-operational address. This strategy is akin to the creation of dead shares, but the loss is borne by the project. The more assets deposited initially, the more challenging it becomes to execute an inflation attack. However, sufficient funds must be available for the initial deposit.
Duplicate of #94