search

sherlock-audit / 2024-09-symmio-v0-8-4-update-contest-judging

0 stars 0 forks source link

danyilbalko - The withdrawFromReserveVault function must ensure arithmetic precision for the amount value #37

Open sherlock-admin3 opened 1 week ago

sherlock-admin3 commented 1 week ago

danyilbalko

Medium

The withdrawFromReserveVault function must ensure arithmetic precision for the amount value

Summary

In the AccountFacetImpl.sol file,

the withdraw function modified the value in the balance by ensuring arithmetic precision for the amount value,

but the withdrawFromReserveVault function did not do so.

This could result in a loss of funds due to an arithmetic error in the system.

Root Cause

https://github.com/sherlock-audit/2024-09-symmio-v0-8-4-update-contest/blob/main/protocol-core/contracts/facets/Account/AccountFacetImpl.sol#L127

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

No response

PoC

The system uses precision up to 18 decimal places for the balance value, so the arithmetic precision of the balances and reserveVault values ​​in the depositToReserveVault and withdrawalFromReserveVault functions must be the same. Otherwise, funds will be lost due to arithmetic errors.

Mitigation

function withdrawFromReserveVault(uint256 amount) internal {
    GlobalAppStorage.Layout storage appLayout = GlobalAppStorage.layout();
    AccountStorage.Layout storage accountLayout = AccountStorage.layout();
    require(amount > 0 && amount <= accountLayout.reserveVault[msg.sender], "AccountFacet: Insufficient balance");
    uint256 amountWith18Decimals = (amount * 1e18) / (10 ** IERC20Metadata(appLayout.collateral).decimals());
    accountLayout.reserveVault[msg.sender] -= amountWith18Decimals;
    accountLayout.balances[msg.sender] += amountWith18Decimals;
    accountLayout.withdrawCooldown[msg.sender] = block.timestamp;
}