search

sherlock-audit / 2024-05-midas-judging

13 stars 6 forks source link

14si2o_Flint - If the minAmountToDepositInUsd is increased by the VaultAdmin, existing users can deposit amounts smaller than the minimum amount #102

Closed sherlock-admin2 closed 6 months ago

sherlock-admin2 commented 6 months ago

14si2o_Flint

medium

If the minAmountToDepositInUsd is increased by the VaultAdmin, existing users can deposit amounts smaller than the minimum amount

Summary

The VaultAdmin can change the minAmountToDepositInEuro to a new value through the setMinAmountToDeposit function. When this value is increased, users that already have made deposits can make deposits which are smaller than the minAmountToDepositInEuro.

Vulnerability Detail

minAmountToDepositInEuro = 100k Alice deposits 100k totalDeposited[Alice]= 100k

VaultAdmin then increases the minAmountToDepositInEuro to 500k

Alice deposits another 100k. The _validateAmountUsdIn function does not check the amount against the minimum amount since if (totalDeposited[user] != 0) return; resolves to true.

As a result, the increase of the minAmountToDepositInEuro by the VaultAdmin is completely ineffective for existing users.

Impact

Assuming the protocol intends to use minAmountToDepositInEuro as an invariant to enforce a minimum deposit amount, the current implementation makes this ineffective for existing users.

Code Snippet

https://github.com/sherlock-audit/2024-05-midas/blob/main/midas-contracts/contracts/DepositVault.sol#L150-L164

Tool used

Manual Review

Recommendation

Change the _validateAmountUsdIn to: 

if (totalDeposited[user] != 0){
        require(
            totalDeposited[user] + amountUsdIn >= minAmountToDepositInUsd(),
            "DV: deposited + usd amount < min"
        );
} else {
        require(
            totalDeposited[user] + amountUsdIn >= minAmountToDepositInUsd(),
            "DV: usd amount < min"
        );
}

Duplicate of #22