Platform: Code4rena
Start Date: 06/01/2022
Pot Size: $60,000 USDC
Total HM: 20
Participants: 33
Period: 7 days
Judge: LSDan
Total Solo HM: 9
Id: 67
League: ETH
Rank: 26/33
Findings: 2
Award: $105.91
🌟 Selected for report: 0
🚀 Solo Findings: 0
ACai
When the Vault contract deposits (all/most) of the token into the strategy contract, so that the remaining tokens in the Vault contract are less than the user's deposit, the user's withdrawal operation will result in a rollback that is not considered by the program.
The relevant code for this question is shown below. For ease of reading, the form of pseudocode is used.
totalUnderlyingMinusSponsored() = totalUnderlying() - totalSponsored = underlying.balanceOf(Vault) + strategy.investedAssets() - totalSponsored strategy.investedAssets() = underlyingBalance + ((exchangeRateFeeder.exchangeRateOf(address(aUstToken), true) * aUstBalance) / 1e18) = underlyingBalance + balanceOfaUstToUnderlying = underlying.balanceOf(Strategy) + pendingDeposits + balanceOfaUstToUnderlying totalUnderlyingMinusSponsored() = underlying.balanceOf(Vault) + underlying.balanceOf(Strategy) + pendingDeposits + balanceOfaUstToUnderlying - totalSponsored
As a simple example, we assume that pendingDeposits, balanceOfaUstToUnderlying, totalSponsored are all 0.
totalUnderlyingMinusSponsored() = underlying.balanceOf(Vault) + underlying.balanceOf(Strategy)
We assume that TotalShares is 1000, and TotalPrinciple is 1000 underlying tokens which 200 in Vault contract and 800 in Strategy contract.
While one user withdraws a Deposit NFT which value of 500 underlying tokens via _withdraw function, the Vault contract would call underlying.safeTransfer(_to, amount);. However, Vault contract has not enough token and an unexpected rollback would happend.
This situation is also likely to occur in claimYield function.
#0 - r2moon
2022-01-11T16:08:02Z