Platform: Code4rena
Start Date: 08/05/2023
Pot Size: $90,500 USDC
Total HM: 17
Participants: 102
Period: 7 days
Judge: 0xean
Total Solo HM: 4
Id: 236
League: ETH
Rank: 84/102
Findings: 1
Award: $51.68
🌟 Selected for report: 0
🚀 Solo Findings: 0
51.6843 USDC - $51.68
The token could be impacted by an inflation attack.
At present, vToken is still susceptible to the well-known ERC4626 'Inflation Attack'. This vulnerability allows the total asset count to be inflated by making donations.
This means that one can mint initially, redeem thereafter, be left with 1 share, and then by directly transferring assets, enhance the exchangeRate, thereby enabling an 'Inflation Attack'.
It's important to note that while the initial mint can be triggered at the creation of a VToken, there isn't any constraint demanding that the initialSupply should be equal to zero.
Manual Review.
It is advised to consider the latest version of OpenZeppelin, which introduces a unique iteration of ERC4626 aimed at mitigating this 'Inflation Attack'.
Ref: https://docs.openzeppelin.com/contracts/4.x/erc4626
Other
#0 - c4-judge
2023-05-17T12:00:11Z
0xean marked the issue as duplicate of #314
#1 - c4-judge
2023-06-05T13:59:26Z
0xean marked the issue as satisfactory
#2 - c4-judge
2023-06-05T14:37:35Z
0xean changed the severity to 3 (High Risk)
#3 - c4-judge
2023-06-05T14:37:43Z
0xean changed the severity to 2 (Med Risk)