Closed sherlock-admin2 closed 1 month ago
1 comment(s) were left on this issue during the judging contest.
merlinboii commented:
Intended design. Sponsor has specified that the minimum about checking is set in TOKEN not the USD. As in the
Hierarchy of truth
standard: the specification in README/documentation provided by sposor is the chosen source of truth not the CODE COMMENT.
EFCCWEB3
Medium
Discrepancy in
validateMinAmount
might lead to Rejections when depositing into Vault for instant transactionSummary
The
_validateMinAmount
function exhibits a significant discrepancy between its operational logic and the descriptions provided in the inline comments. This inconsistency has critical ramifications for the _calcAndValidateDeposit function, potentially leading to erroneous validation of deposits. The issue undermines the accuracy of deposit processing and could lead to substantial financial and operational issues. https://github.com/sherlock-audit/2024-08-midas-minter-redeemer/blob/main/midas-contracts%2Fcontracts%2FDepositVault.sol#L282Vulnerability Detail
The
_validateMinAmount
function is intended to enforce minimum deposit requirements by validating both token amounts and their corresponding USD values. According to the inline comments, the function should ensure that the deposit amount in USD is greater than or equal tominAmountToDepositInUsd()
, and that the token amount is at leastminAmount().
Furthermore, for first-time depositors, the function should validate againstminMTokenAmountForFirstDeposit.
The
_validateMinAmoun
t function fails to incorporate USD-based validation, focusing solely on the token amount (amountMTokenWithoutFee). The function does not convert the token amount to its USD equivalent or check it againstminAmountToDepositInUsd().
The absence of this USD validation means that while the deposit exceeds the token quantity requirement, it fails to satisfy the necessary USD value, potentially allowing the user to exploit the system by depositing a large volume of low-value tokens.
This oversight can lead to erroneous deposit approvals or rejections. For example, a deposit of tokens that meets the token minimum but falls short in USD value could be improperly accepted,.
The discrepancy between the
_validateMinAmount
function’s implementation and its documented intent has significant implications for the_calcAndValidateDeposit
function.Impact
Incorrect Deposit Approval or Rejection
Code Snippet
Tool used
GitHub
Recommendation
Modify _validateMinAmount to include a check against minAmountToDepositInUsd(). Implement a mechanism to convert the token amount to its USD equivalent and ensure it meets the required USD threshold.