Platform: Code4rena
Start Date: 16/02/2023
Pot Size: $144,750 USDC
Total HM: 17
Participants: 154
Period: 19 days
Judge: Trust
Total Solo HM: 5
Id: 216
League: ETH
Rank: 19/154
Findings: 1
Award: $1,140.50
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: hyh
Also found by: Koolex, Parad0x, chaduke, hansfriese, jasonxiale, koxuan
1140.5041 USDC - $1,140.50
Function ReaperVaultV2._withdraw first call _burn to burn depositor's share, then call token.safeTransfer to transfer value of token to msg.sender, however there are some cases that value doesn't conform with _shares, which cause depositor's loss
if (value > token.balanceOf(address(this))), the vault first checks if balanceOf(this) is larger than value, if not, the vault will withdraw token from withdrawQueue. After that, the vault will check again, if the vault's balance is still smaller than value, it will change value to it's current balance, in such case, vault _burn more share than it sends to depositor
Say depositor calls withdraw with _shares equaling to 100, in line365 the value is 10000, and in line366, vault burns depositor 100 shares Then the Vault doesn't have enough token, so it withdraws token from its strategies After that, it get 1000 as vaultBalance, in such case, value is set to vaultBalance in line401 Finally, line410 will transfer 1000 token to depositor, but in the beginning of the function, the Vault burn more shares.
Manually
recalculate and burn share according to how much token are sent to depositor
#0 - c4-judge
2023-03-09T10:35:52Z
trust1995 marked the issue as duplicate of #723
#1 - c4-judge
2023-03-09T10:35:56Z
trust1995 marked the issue as satisfactory