Open sherlock-admin2 opened 7 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
valid: slippage; medium(15)
The protocol team fixed this issue in PR/commit https://github.com/napierfi/v1-pool/pull/157.
The Lead Senior Watson signed off on the fix.
xiaoming90
high
Lack of slippage control for
issue
functionSummary
The lack of slippage control for
issue
function can lead to a loss of assets for the affected users.Vulnerability Detail
During the issuance, the user will deposit underlying assets (e.g., ETH) to the Tranche contract, and the Tranche contract will forward them to the Adaptor contract for depositing at Line 208 below. The number of shares minted is depending on the current scale of the adaptor. The current scale of the adaptor can increase or decrease at any time, depending on the current on-chain condition when the transaction is executed. For instance, the LIDO's daily oracle/rebase update will increase the stETH balance, which will, in turn, increase the adaptor's scale. On the other hand, if there is a mass validator slashing event, the ETH claimed from the withdrawal queue will be less than expected, leading to a decrease in the adaptor's scale. Thus, one cannot ensure the result from the off-chain simulation will be the same as the on-chain execution.
Having said that, the number of shared minted will vary (larger or smaller than expected) if there is a change in the current scale. Assuming that Alice determined off-chain that depositing 100 ETH would issue $x$ amount of PT/YT. When she executes the TX, the scale increases, leading to the amount of PT/YT issued being less than $x$. The slippage is more than what she can accept.
In summary, the
issue
function lacks the slippage control that allows the users to revert if the amount of PT/YT they received is less than the amount they expected.https://github.com/sherlock-audit/2024-01-napier/blob/main/napier-v1/src/Tranche.sol#L179
Impact
Loss of assets for the affected users.
Code Snippet
https://github.com/sherlock-audit/2024-01-napier/blob/main/napier-v1/src/Tranche.sol#L179
Tool used
Manual Review
Recommendation
Implement a slippage control that allows the users to revert if the amount of PT/YT they received is less than the amount they expected.