search

sherlock-audit / 2024-08-midas-minter-redeemer-judging

1 stars 1 forks source link

EFCCWEB3 - Discrepancy in `validateMinAmount` might lead to Rejections when depositing into Vault for instant transaction #18

Closed sherlock-admin2 closed 1 month ago

sherlock-admin2 commented 2 months ago

EFCCWEB3

Medium

Discrepancy in validateMinAmount might lead to Rejections when depositing into Vault for instant transaction

Summary

The _validateMinAmount function exhibits a significant discrepancy between its operational logic and the descriptions provided in the inline comments. This inconsistency has critical ramifications for the _calcAndValidateDeposit function, potentially leading to erroneous validation of deposits. The issue undermines the accuracy of deposit processing and could lead to substantial financial and operational issues. https://github.com/sherlock-audit/2024-08-midas-minter-redeemer/blob/main/midas-contracts%2Fcontracts%2FDepositVault.sol#L282

Vulnerability Detail

The _validateMinAmount function is intended to enforce minimum deposit requirements by validating both token amounts and their corresponding USD values. According to the inline comments, the function should ensure that the deposit amount in USD is greater than or equal to minAmountToDepositInUsd(), and that the token amount is at least minAmount(). Furthermore, for first-time depositors, the function should validate against minMTokenAmountForFirstDeposit.

/**
 * @dev Validates that inputted USD amount >= minAmountToDepositInUsd()
 * and amount >= minAmount()
 * @param user user address
 * @param amountMTokenWithoutFee amount of mToken without fee (decimals 18)
 */

The _validateMinAmount function fails to incorporate USD-based validation, focusing solely on the token amount (amountMTokenWithoutFee). The function does not convert the token amount to its USD equivalent or check it against minAmountToDepositInUsd().

Consider a situation where a newly onboarded user is attempting their first deposit into a smart contract. The contract stipulates a minimum token quantity requirement for first-time deposits, set at 150,000 XYZ tokens, as defined by the parameter minMTokenAmountForFirstDeposit. This parameter dictates that to successfully process their inaugural deposit, a user must deposit at least 150,000 XYZ tokens, regardless of the token’s USD value. In this scenario, the user deposits 200,000 XYZ tokens, easily surpassing the minimum token threshold. However, if the contract lacks additional validation to check the USD value of the deposit, a critical issue arises: the USD value of 200,000 XYZ tokens, at a price of $0.0001 per token, equates to only $20. This amount is substantially below the required USD minimum of $50, which should ideally be enforced to ensure the deposit meets the financial standards set by the contract.

The absence of this USD validation means that while the deposit exceeds the token quantity requirement, it fails to satisfy the necessary USD value, potentially allowing the user to exploit the system by depositing a large volume of low-value tokens.

This oversight can lead to erroneous deposit approvals or rejections. For example, a deposit of tokens that meets the token minimum but falls short in USD value could be improperly accepted,.

The discrepancy between the _validateMinAmount function’s implementation and its documented intent has significant implications for the _calcAndValidateDeposit function.

Impact

Incorrect Deposit Approval or Rejection

Code Snippet

    function _validateMinAmount(address user, uint256 amountMTokenWithoutFee)
        internal
        view
    {
        require(amountMTokenWithoutFee >= minAmount, "DV: mToken amount < min");

        if (totalMinted[user] != 0) return;

        require(
            amountMTokenWithoutFee >= minMTokenAmountForFirstDeposit,
            "DV: mint amount < min"
        );
    }

Tool used

GitHub

Recommendation

Modify _validateMinAmount to include a check against minAmountToDepositInUsd(). Implement a mechanism to convert the token amount to its USD equivalent and ensure it meets the required USD threshold.

sherlock-admin4 commented 1 month ago

1 comment(s) were left on this issue during the judging contest.

merlinboii commented:

Intended design. Sponsor has specified that the minimum about checking is set in TOKEN not the USD. As in the Hierarchy of truth standard: the specification in README/documentation provided by sposor is the chosen source of truth not the CODE COMMENT.