Platform: Code4rena
Start Date: 05/01/2023
Pot Size: $90,500 USDC
Total HM: 55
Participants: 103
Period: 14 days
Judge: Picodes
Total Solo HM: 18
Id: 202
League: ETH
Rank: 103/103
Findings: 1
Award: $25.33
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: ladboy233
Also found by: Bjorn_bug, Jujic, KIntern_NA, RaymondFam, fs0c, joestakey, kaden, obront, unforgiven
25.3332 USDC - $25.33
As arbitrary ERC20 tokens can be deposited in the liquidity pool to earn yield and mint VaultTokens to acquire shares, and since there is no indication in the documentation that the protocol will not support fee-on-transfer tokens or rebasing/deflationary/inflationary tokens in the future. Therefore, the "assets" parameter should be calculated each time to make sure that the amount of "assets" received is excluding any fees. This will prevent any potential abuse in minting more shares than intended.
function deposit(uint256 assets, address receiver) public virtual returns (uint256 shares) { // Check for rounding error since we round down in previewDeposit. require((shares = previewDeposit(assets)) != 0, "ZERO_SHARES"); require(shares > minDepositAmount(), "VALUE_TOO_SMALL"); // Need to transfer before minting or ERC777s could reenter. ERC20(asset()).safeTransferFrom(msg.sender, address(this), assets); _mint(receiver, shares); emit Deposit(msg.sender, receiver, assets, shares); afterDeposit(assets, shares); }
Inspection
Consider Using the balance before and after the transfer to calculate the received amount of assets instead of assuming that it would be equal to the amount passed as a parameter.
#0 - c4-judge
2023-01-26T16:57:21Z
Picodes marked the issue as duplicate of #51
#1 - c4-judge
2023-02-23T11:50:58Z
Picodes marked the issue as satisfactory