Platform: Code4rena
Start Date: 17/02/2022
Pot Size: $75,000 USDC
Total HM: 7
Participants: 23
Period: 7 days
Judge: GalloDaSballo
Total Solo HM: 2
Id: 92
League: ETH
Rank: 8/23
Findings: 1
Award: $2,964.20
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: cmichel
Also found by: 0xliumin, CertoraInc, Picodes, Ruhum
https://github.com/Rari-Capital/solmate/blob/main/src/mixins/ERC4626.sol#L67
If the number of assets is different from the number of shares, the user will get more or less shares than they expect.
Users don't have to be sophisticated at all, just using the contract as intended can cause users to get more or less of the shares of a vault.
Here's a proof of concept:
We would expect the following: a. Alice now has 2/3rds of the shares (2e18) b. Alice has to transfer 2e18 tokens
Alice correctly has to transfer 2e18 tokens. But she receives 2e18 shares instead of 1e18 shares because of the line of code here. https://github.com/Rari-Capital/solmate/blob/main/src/mixins/ERC4626.sol#L67
Change amount to shares on that line. Also should check other implementations to ensure this isn't exploitable in any production contracts.
#0 - Joeysantoro
2022-02-24T19:12:13Z
#1 - GalloDaSballo
2022-03-07T00:15:50Z
The warden has identified what is most likely a small oversight, which would have drastic consequences in the internal accounting of the Vault. Because of impact, I agree with high severity.
Will make this finding primary because it shows some details.
The sponsor has mitigated
#2 - GalloDaSballo
2022-03-12T17:03:23Z
Duplicate of #27