EgisSecurity - LenderCommitmentGroup_Smart.sol#__valueOfUnderlying() - If rate = 0, then users will receive no shares if they attempt to mint, and burn won't work #281
We recommend to force the initializer of the contract, to transfer some principal tokens when initializing the contract and add those to totalPrincipalTokensCommitted. This way totalPrincipalTokensCommitted should always be larger than tokenDifferenceFromLiquidations.
EgisSecurity
medium
LenderCommitmentGroup_Smart.sol#__valueOfUnderlying() - If rate = 0, then users will receive no shares if they attempt to mint, and burn won't work
Summary
LenderCommitmentGroup_Smart.sol#__valueOfUnderlying() - If rate = 0, then users will receive no shares if they attempt to mint, and burn won't work.
Vulnerability Detail
The protocol uses
_valueOfUnderlying
to value the shares it has to mint and the principal it has to transfer when burning share tokens.It has a special case
if (rate == 0)
, this can happen quite rarely, but it's still possible.Example:
totalPrincipalTokensCommitted = 100e18
. We assume pool share tokens are minted 1:1 to simplify the example.tokenDifferenceFromLiquidations = 100e18
.addPrincipalToCommitmentGroup
with 100e18.getPoolTotalEstimatedValue
sharesExchangeRate
_valueOfUnderlying
is then called and becauserate = 0
we return 0.Note that
burnSharesToWithdrawEarnings
will always revert, as we usesharesExchangeRateInverse
.Since
sharesExchangeRate = 0
, the tx will revert as we are attempting to divide by 0.Impact
Complete loss of funds for the user that adds principal and the burn is completely unusable.
Code Snippet
https://github.com/sherlock-audit/2024-04-teller-finance/blob/defe55469a2576735af67483acf31d623e13592d/teller-protocol-v2-audit-2024/packages/contracts/contracts/LenderCommitmentForwarder/extensions/LenderCommitmentGroup/LenderCommitmentGroup_Smart.sol#L324-L334
Tool used
Manual Review
Recommendation
We recommend to force the initializer of the contract, to transfer some principal tokens when initializing the contract and add those to
totalPrincipalTokensCommitted
. This waytotalPrincipalTokensCommitted
should always be larger thantokenDifferenceFromLiquidations
.Duplicate of #64