Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Underlying token percents should add up to 100% / exposure.sortVaultsByDelta tracking does not work #100

Closed
code423n4 opened this issue Jul 7, 2021 · 3 comments
Closed

Underlying token percents should add up to 100% / exposure.sortVaultsByDelta tracking does not work #100

code423n4 opened this issue Jul 7, 2021 · 3 comments
Labels
1 (Low Risk) bug Something isn't working sponsor disputed

Comments

@code423n4
Copy link
Contributor

Handle

cmichel

Vulnerability details

Vulnerability Details

The Insurance.setUnderlyingTokenPercent function sets the target allocations per vault which is used throughout the code ("delta").
It does not validate that the sum of the underlyingTokensPercents is 100%, it could be higher or lower.

If the sum is less than 100% it leads to severe issues in parts of the code, for example, it's used in getVaultDeltaForDeposit to get the sorted vaultIndexes through this call exposure.sortVaultsByDelta.

However, exposure.sortVaultsByDelta has a bug with tracking min and max indexes if they don't add up to 100%, because the else branch of minDelta must never be taken.

Example bug:
Assume: unifiedTotalAssets = 100k, unifiedAssets = [40k, 30k, 30k], targetPercents = [30%, 30%, 30%].

Then for i = 0:
delta = 40k - 100k * 30% = 10k > 0 => sets maxDelta = 10k, maxIndex = 0
Then for i = 1:
delta = 30k - 100k * 30% = 0 > 0 is false but else branch with 0 < 0 is false as well => nothing is set
Then for i = 2:
delta = 30k - 100k * 30% = 0 > 0 is false but else branch with 0 < 0 is false as well => nothing is set

Resulting in both maxIndex = 0, minIndex = 0 and thus vaultIndexes = [0, 3, 0] depositing into the first vault twice and completely skipping the others.

Recommended Mitigation Steps

Validate that it adds up to 100%.
Alternatively, fix the minDelta and maxDelta starting values (0 is bad) and computation.
@code423n4 code423n4 added 3 (High Risk) bug Something isn't working labels Jul 7, 2021
code423n4 added a commit that referenced this issue Jul 7, 2021
@code423n4
cmichel issue #100
36bb879
@kitty-the-kat kitty-the-kat added duplicate This issue or pull request already exists sponsor disputed labels Jul 14, 2021
@kitty-the-kat
Copy link
Collaborator

kitty-the-kat commented Jul 14, 2021
edited
Loading

low risk:
Insurance.setUnderlyingTokenPercent is set by governance and will be behind a timelock
similar issue in #11, which is set to low risk, which I agree with

@flabble-gro flabble-gro mentioned this issue Jul 14, 2021
Open
@flabble-gro flabble-gro removed the duplicate This issue or pull request already exists label Jul 14, 2021
@ghoul-sol
Copy link
Collaborator

This requires human error to be an issue. While I agree that best practices recommend data validation, I'd imagine that governance TX would be checked 10 times before sending. I'm agreeing with sponsor, this is low risk.

@ghoul-sol
Copy link
Collaborator

Duplicate of #11

@ghoul-sol ghoul-sol marked this as a duplicate of #11 Jul 25, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1 (Low Risk) bug Something isn't working sponsor disputed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kitty-the-kat @flabble-gro @ghoul-sol @code423n4