Share price in LenderCommitmentGroup_Smart.sol can be inflated
Summary
Vulnerability Detail
When is pool is initialised with 0 principal tokens means 0 poolsharetokens minted or very minimial poolShareTokens minted this attack can be possible.
When this situation is created ,attacker can saw the pool intialisation (lets consider 0 share minted). he can deposit few asset in the pool by addPrincipalToCommitmentGroup() funtion. and he will get minted by share tokens.
the attacker will himself borrow from the pool using SCF contract as mentioned in comments. he will wait and when small amount wei lets consider 1 wei of interest is accrued he will repay the loan with interest
Attacker will leave 1 wei of shares and redeem all shares he deposited
so Now the poolSharesToken = 1 and poolTotalEstimatedValue_>= 2 due to rounding.
So now attacker can infalte share price according to his need. Or also can front run depositor and takes addvantage if him and can take away user asset.
Impact
The user ends up with no share and forfeits all their tokens to the attacker.
Initialization of pool should be minimum with 1000 shares minted. because even if initialization is with 0 or minimalistic principal token means less share tokens minted . this attack still feasible
0xlucky
high
Share price in LenderCommitmentGroup_Smart.sol can be inflated
Summary
Vulnerability Detail
When is pool is initialised with 0 principal tokens means 0 poolsharetokens minted or very minimial poolShareTokens minted this attack can be possible.
When this situation is created ,attacker can saw the pool intialisation (lets consider 0 share minted). he can deposit few asset in the pool by addPrincipalToCommitmentGroup() funtion. and he will get minted by share tokens.
the attacker will himself borrow from the pool using SCF contract as mentioned in comments. he will wait and when small amount wei lets consider 1 wei of interest is accrued he will repay the loan with interest
Attacker will leave 1 wei of shares and redeem all shares he deposited
so Now the poolSharesToken = 1 and poolTotalEstimatedValue_>= 2 due to rounding.
So now attacker can infalte share price according to his need. Or also can front run depositor and takes addvantage if him and can take away user asset.
Impact
The user ends up with no share and forfeits all their tokens to the attacker.
Code Snippet
https://github.com/sherlock-audit/2024-04-teller-finance/blob/main/teller-protocol-v2-audit-2024/packages/contracts/contracts/LenderCommitmentForwarder/extensions/LenderCommitmentGroup/LenderCommitmentGroup_Smart.sol#L307-L322
https://github.com/sherlock-audit/2024-04-teller-finance/blob/main/teller-protocol-v2-audit-2024/packages/contracts/contracts/LenderCommitmentForwarder/extensions/LenderCommitmentGroup/LenderCommitmentGroup_Smart.sol#L262-L275
Tool used
Manual Review
Recommendation
Initialization of pool should be minimum with 1000 shares minted. because even if initialization is with 0 or minimalistic principal token means less share tokens minted . this attack still feasible
Duplicate of #64