Tokens that are directly sent to the contract impact the cap value which should not be the case
Summary
In PointTokenVault, there is a function deposit() that allows users to deposit ERC20 tokens into the vault. The problem is that it relies on balanceOf() variable when determining whether cap for a particular token has reached a limit or not.
if (cap != type(uint256).max) {
if (_amount + _token.balanceOf(address(this)) > cap) {
revert DepositExceedsCap();
}
}
The problem is that it relies on the balanceOf() and therefore can be influenced by the tokens that were directly sent to the contract.
Impact
cap value can be impacted by these direct transfers and therefore have incorrect value - it should not count for any deposits outside of deposit() transfer. Users (even though it's not quite economically beneficial for them) can produce unexpected scenarios where they send tokens directly into the vault and influence the cap value potentially blocking the future deposits.
Introduce a new variable like totalDeposited to track the tokens that were sent into the vault by using deposit() functionality. Also create a function to rescue the tokens that were mistakenly or intentionally sent into the vault directly.
Clever Powder Ferret
Low/Info
Tokens that are directly sent to the contract impact the cap value which should not be the case
Summary
In
PointTokenVault
, there is a functiondeposit()
that allows users to deposit ERC20 tokens into the vault. The problem is that it relies onbalanceOf()
variable when determining whether cap for a particular token has reached a limit or not.Vulnerability Detail
Take a look at the check inside of
deposit()
:https://github.com/sense-finance/point-tokenization-vault/blob/dev/contracts/PointTokenVault.sol#L117-121
The problem is that it relies on the
balanceOf()
and therefore can be influenced by the tokens that were directly sent to the contract.Impact
cap
value can be impacted by these direct transfers and therefore have incorrect value - it should not count for any deposits outside ofdeposit()
transfer. Users (even though it's not quite economically beneficial for them) can produce unexpected scenarios where they send tokens directly into the vault and influence the cap value potentially blocking the future deposits.Code Snippet
https://github.com/sense-finance/point-tokenization-vault/blob/dev/contracts/PointTokenVault.sol#L117-121
Tool used
Manual Review.
Recommendation
Introduce a new variable like
totalDeposited
to track the tokens that were sent into the vault by usingdeposit()
functionality. Also create a function to rescue the tokens that were mistakenly or intentionally sent into the vault directly.