-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remaining dust from Ether deposits is not returned to users #455
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-152
high quality report
This report is of especially high quality
satisfactory
satisfies C4 submission criteria; eligible for awards
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Comments
code423n4
added
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
labels
Mar 29, 2023
c4-pre-sort
added
the
high quality report
This report is of especially high quality
label
Apr 3, 2023
0xSorryNotSorry marked the issue as high quality report |
c4-pre-sort
added
the
primary issue
Highest quality submission among a set of duplicates
label
Apr 4, 2023
0xSorryNotSorry marked the issue as primary issue |
This was referenced Apr 4, 2023
This will result in more gas spent by user to recover dust therefore resulting in a lower ETH balance overall. |
toshiSat marked the issue as sponsor disputed |
c4-sponsor
added
the
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
label
Apr 7, 2023
c4-judge
added
duplicate-152
and removed
primary issue
Highest quality submission among a set of duplicates
labels
Apr 24, 2023
Picodes marked issue #152 as primary and marked this issue as a duplicate of 152 |
Picodes marked the issue as satisfactory |
c4-judge
added
the
satisfactory
satisfies C4 submission criteria; eligible for awards
label
Apr 24, 2023
This issue was closed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-152
high quality report
This report is of especially high quality
satisfactory
satisfies C4 submission criteria; eligible for awards
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Lines of code
https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L88
Vulnerability details
When users stake Ether, some dust is left from the calculations corresponding to the Ether that has to be deposited for each derivative. This is due to some precision loss when calculating the weighted amounts.
Impact
Users lose the Ether dust that is not being used for staking. The dust is locked on the
SafEth
contract.Proof of Concept
There is some precision loss in line 88:
uint256 ethAmount = (msg.value * weight) / totalWeight;
Each weighted
ethAmount
is deposited for each derivative, but the sum of all those amounts is less than themsg.value
. That dust is left on the contract and not returned to the user.Link to code
Test
Add the following test to the
describe("Af Strategy")
intest/SafEth.test.ts
to prove that Ether dust is locked in the contract:Tools Used
Manual review
Recommended Mitigation Steps
Return the Ether dust not used for staking to the user:
The text was updated successfully, but these errors were encountered: