Platform: Code4rena
Start Date: 15/12/2022
Pot Size: $128,000 USDC
Total HM: 28
Participants: 111
Period: 19 days
Judge: GalloDaSballo
Total Solo HM: 1
Id: 194
League: ETH
Rank: 101/111
Findings: 1
Award: $14.91
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xdeadbeef0x
Also found by: 0xLad, 0xNazgul, 0xSmartContract, 0xbepresent, Arbor-Finance, Breeje, HE1M, IllIllI, Qeew, Rolezn, SEVEN, SamGMK, SmartSek, TomJ, WatchDogs, ak1, btk, ck, datapunk, dic0de, eierina, fs0c, hansfriese, koxuan, ladboy233, peanuts, rvierdiiev, sces60107, tonisives, unforgiven, yongskiws
14.9051 USDC - $14.91
Future depositors are forced to pay a huge value of assets to deposit. It is not practically possible for all users. This could directly affect the attrition of users towards this system.
A well-known attack vector for almost all shares-based liquidity pool contracts, where an early user can manipulate the price per share and profit from late users' deposits because of the precision loss caused by the rather large value of price per share. The share price always returns 1:1 with assets. If everything works normally, the share price will slowly increase with time to 1:2 or 1:10 as more rewards come in. But right after ERC4626 contract creation, during the first cycle, any user can deposit 1 share set totalSupply = 1. And transfer the token to the vault to inflate totalAssets before rewards kick in. (Basically, pretend rewards themselves before anyone can deposit in order to get a much better share price.)
Manual
Consider requiring a minimal amount of share tokens to be minted for the first minter, and send a portion of the initial mints as a reserve to the DAO/ burn so that the price per share can be more resistant to manipulation.
#0 - c4-judge
2023-01-08T13:11:34Z
GalloDaSballo marked the issue as duplicate of #209
#1 - c4-sponsor
2023-01-11T00:08:42Z
emersoncloud marked the issue as sponsor acknowledged
#2 - c4-judge
2023-02-08T09:44:17Z
GalloDaSballo marked the issue as satisfactory