Bandit - Shares Withdrawn Can Round In Favor Of User

[sherlock-admin4]

Bandit

high

Shares Withdrawn Can Round In Favor Of User

Summary

Vulnerability Detail

The principal tokens to withdraw during share burning is determined by value_ = (amount * EXCHANGE_RATE_EXPANSION_FACTOR) / rate where rate is determined by sharesRateInverse()

sharesRateInverse() rounds down. Since this is the denominator so when calculating the principal tokens out, the token amount actually can rounds up

This means that the user gets more tokens than they should when withdrawing leading to insolvency.

Impact

The asset to share ratio can become inflated either due to a share inflation via liquidation, and/or through accumulated rounding difference through adding principal and withdrawing shares. This can cause the gain from exploiting the round-in-favor of user to exceed the gas costs of minting and burning shares. Furthermore, even with just a small loss, the last share withdrawer cannot withdraw via burnSharesToWithdrawEarnings() as it will attempt to transfer out more tokens than are available due to the rounding direction.

Code Snippet

https://github.com/sherlock-audit/2024-04-teller-finance/blob/main/teller-protocol-v2-audit-2024/packages/contracts/contracts/LenderCommitmentForwarder/extensions/LenderCommitmentGroup/LenderCommitmentGroup_Smart.sol#L396-L415

Tool used

Manual Review

Recommendation

Reverse the rounding direction of sharesExchangeRateInverse()

Duplicate of #159

[nevillehuang]

Request poc

See comments in #159

[sherlock-admin4]

PoC requested from @BanditSecurity

Requests remaining: 6