search

sherlock-audit / 2024-01-napier-judging

9 stars 6 forks source link

cheatcode - Missing Validation of Issued Tokens Against Collected Fees leads to protocol insolvency #31

Closed sherlock-admin closed 7 months ago

sherlock-admin commented 7 months ago

cheatcode

medium

Missing Validation of Issued Tokens Against Collected Fees leads to protocol insolvency

Summary

The issue function lacks checks that the issued tokens properly correlate to the fees gathered this could enable issued to be higher than expected if decimal math is off. Leading to undercollected fees over time.

require(issuedTokens + feesCollected <= totalShares)

Without this, it may be possible over repeated depositor actions that:

issuedTokens + feesCollected > totalShares

This means the contract is minting more principal tokens than the actual shares it is receiving from deposits.

Vulnerability Detail

While the discrepancies might be small, this could allow attackers to profitably extract excessive value.

For example, an attacker could:

  1. Manipulate calculations to issue 1% more tokens than deposited shares each time
  2. Slowly drain the excess tokens for profit

At scale across all users, this little bias in the accounting could lead to accumulating losses for the protocol.

Gradually making the system insolvent as more value is leaked out than came in from deposits.

Impact

Code Snippet

https://github.com/sherlock-audit/2024-01-napier/blob/main/napier-v1/src/Tranche.sol#L217C9-L222C29

Tool used

Manual Review

Recommendation

Requiring the following invariant check prevents this scenario by enforcing accurate accounting. This safeguards against protocol insolvency due to systematic accounting errors.

Add invariant check:

require(issued.add(fees) <= sharesUsed, "Invalid share deduction");
sherlock-admin commented 7 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid: provide POC