Platform: Code4rena
Start Date: 07/07/2022
Pot Size: $75,000 USDC
Total HM: 32
Participants: 141
Period: 7 days
Judge: HardlyDifficult
Total Solo HM: 4
Id: 144
League: ETH
Rank: 118/141
Findings: 1
Award: $41.49
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: berndartmueller
Also found by: 0xA5DF, 0xSky, 0xsanson, ElKu, Kumpa, Treasure-Seeker, TrungOre, cccz, cryptphi, hansfriese, jonatascm, kenzo, minhquanym, s3cunda, shenwilly, smiling_heretic, zzzitron
41.4866 USDC - $41.49
Users can get cash from a successful buyout. In the Buyout.cash function, ethBalance is not updated after the token is burned and the user receives buyoutShare. As a result, users can get more cash than their share.
buyoutShare is calculated as follows.
uint256 buyoutShare = (tokenBalance * ethBalance) / (totalSupply + tokenBalance);
Let us say ethBalance is 1.0 for simplicity, and for two users, tokenBalance is also 1.0, respectively.
For the first user, buyoutShare = 1.0 / 2.0 = 0.5 and this is correct. But for the second user, buyoutShare = 1.0, but the correct buyoutShare is 0.5 in this case.
VSCode
Add the following line to the cash function.
buyoutInfo[_vault].ethBalance -= buyoutShare;
function cash(address _vault, bytes32[] calldata _burnProof) external { ... uint256 buyoutShare = (tokenBalance * ethBalance) / (totalSupply + tokenBalance); _sendEthOrWeth(msg.sender, buyoutShare); + buyoutInfo[_vault].ethBalance -= buyoutShare; // Emits event for cashing out of buyout pool emit Cash(_vault, msg.sender, buyoutShare); }
#0 - ecmendenhall
2022-07-15T02:54:14Z