Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

YearnV2YieldSource wrong subtraction in withdraw #90

Open
code423n4 opened this issue Jun 23, 2021 · 1 comment
Open

YearnV2YieldSource wrong subtraction in withdraw #90

code423n4 opened this issue Jun 23, 2021 · 1 comment
Assignees
Labels

Comments

@code423n4
Copy link
Contributor

Handle

cmichel

Vulnerability details

YearnV2YieldSource._withdrawFromVault uses a wrong subtraction.
When withdrawing from the vault one redeems yTokens for tokens, thus the token balance of the contract should increase after withdrawal.
But the contract subtracts the currentBalance from the previousBalance:

uint256 yShares = _tokenToYShares(amount);
uint256 previousBalance = token.balanceOf(address(this));
// we accept losses to avoid being locked in the Vault (if losses happened for some reason)
if(maxLosses != 0) {
    vault.withdraw(yShares, address(this), maxLosses);
} else {
    vault.withdraw(yShares);
}
uint256 currentBalance = token.balanceOf(address(this));
// @audit-issue this seems wrong
return previousBalance.sub(currentBalance);

Impact

All vault withdrawals fail due to the integer underflow as the previousBalance is less than currentBalance. Users won't be able to get back their investment.

Recommended Mitigation Steps

It should return currentBalance > previousBalance ? currentBalance - previousBalance : 0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants