Closed sherlock-admin2 closed 1 week ago
deposit, mint, redeem and withdraw revert as specified by ERC4626
Escalate
As per contest readme:
Is the codebase expected to comply with any EIPs? Can there be/are there any deviations from the specification? SuperPool.sol is strictly ERC4626 compliant
SuperPool
contract is STRICTLY
compliant to ERC4626 the specification for deposit/withdraw/mint/redeem is a MUST
requirement from ERC4626 so it should be considered valid.
I believe, all ERC4626 non-compliance issues should be grouped together.
Escalate
As per contest readme:
Is the codebase expected to comply with any EIPs? Can there be/are there any deviations from the specification? SuperPool.sol is strictly ERC4626 compliant
SuperPool
contract isSTRICTLY
compliant to ERC4626 the specification for deposit/withdraw/mint/redeem is aMUST
requirement from ERC4626 so it should be considered valid.I believe, all ERC4626 non-compliance issues should be grouped together.
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
@z3s is right that the functions revert as per standard. For example check _deposit()
- https://github.com/sherlock-audit/2024-08-sentiment-v2/blob/0b472f4bffdb2c7432a5d21f1636139cc01561a5/protocol-v2/src/SuperPool.sol#L499
Planning to reject the escalation and leave the issue as is.
@cvetanovv Can you please check withdraw()
and redeem()
function where this ERC4626 compliance is not met.
MohammedRizwan
Medium
SuperPool
s deposit, withdraw, redeem and mint functions are not incomplaince with ERC4626Summary
SuperPool
s deposit, withdraw, redeem and mint functions are not incomplaince with ERC4626Vulnerability Detail
As per the contest readme,
SuperPool.sol is strictly ERC4626 compliant
. Thedeposit()
, withdraw(), redeem() and mint() functions ofSuperPool
contract is not incompliance with ERC4626.For understanding, Lets check deposit() function which is used to deposit the asset into the superPool and it is implemented as:
The issue here is that,
deposit()
function is not incompliance with ERC4626 as ERC4626 deposit specification states,It means that, the
maxDeposit
limit is not checked in deposit function. deposit() will not revert if the asset maximum limit is reached and per readme the deposit function must be strictly incompliance with ERC4626.It should be noted that,
maxDeposit()
function is implemented insuperPool
contract which can be checked here but its not checked in deposit function.Similarly,
withdraw()
,redeem()
andmint()
are also not incompliance with ERC4626. Below specification related to them is not complied in functions.mint
withdraw
redeem
ERC4626 link- https://eips.ethereum.org/EIPS/eip-4626
Impact
Failure to comply with the ERC4626 deposit, withdraw, redeem and mint specification which is considered as strict compliance by protocol as these functions should not exceed max deposit.
Code Snippet
https://github.com/sherlock-audit/2024-08-sentiment-v2/blob/0b472f4bffdb2c7432a5d21f1636139cc01561a5/protocol-v2/src/SuperPool.sol#L258-L263
Tool used
Manual Review
Recommendation
Ensure SuperPool contracts deposit, withdraw, redeem and mint function must be incompliance with ERC4626.
For example understanding,
consider below changes for deposit():