Platform: Code4rena
Start Date: 08/05/2023
Pot Size: $90,500 USDC
Total HM: 17
Participants: 102
Period: 7 days
Judge: 0xean
Total Solo HM: 4
Id: 236
League: ETH
Rank: 83/102
Findings: 1
Award: $51.68
🌟 Selected for report: 0
🚀 Solo Findings: 0
51.6843 USDC - $51.68
https://github.com/code-423n4/2023-05-venus/blob/8be784ed9752b80e6f1b8b781e2e6251748d0d7e/contracts/VToken.sol#L1272-L1279 https://github.com/code-423n4/2023-05-venus/blob/8be784ed9752b80e6f1b8b781e2e6251748d0d7e/contracts/VToken.sol#L769-L776
Users are vulnerable to an inflation attack where a user can lose funds due to a malicious actor directly depositing funds into the vToken contract.
The function _Mintfresh calls the function DoTransferIn which calculates the amount of vTokens to mint to a user after supplying the underlying asset. DotransferIn calculates the balance of the underlying asset in the contract as follows:
function _doTransferIn(address from, uint256 amount) internal virtual returns (uint256) { IERC20Upgradeable token = IERC20Upgradeable(underlying); uint256 balanceBefore = token.balanceOf(address(this)); token.safeTransferFrom(from, address(this), amount); uint256 balanceAfter = token.balanceOf(address(this)); // Return the amount that was *actually* transferred return balanceAfter - balanceBefore; }
The vulnerability here is that a malicious can directly send the underlying assets directly to the contract, affecting the number of Vtokens minted to an unsuspecting user. This can be used in a MEV sandwich attack where a user can have their funds stolen by front running a user calling the function mint with a direct transfer, calling mint and then withdrawing the tokens
Manual Review
Use a mapping instead of BalanceOf, to track the balance of underlying assets
MEV
#0 - c4-judge
2023-05-17T20:14:37Z
0xean marked the issue as duplicate of #314
#1 - c4-judge
2023-06-05T14:08:32Z
0xean marked the issue as satisfactory
#2 - c4-judge
2023-06-05T14:37:43Z
0xean changed the severity to 2 (Med Risk)