CollateralTracker
lacks slippage protection in redeem()
and withdraw()
functions
#411
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-365
edited-by-warden
grade-c
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
🤖_360_group
AI based duplicate group recommendation
Lines of code
https://github.com/code-423n4/2024-04-panoptic/blob/833312ebd600665b577fbd9c03ffa0daf250ed24/contracts/CollateralTracker.sol#L591-L626
https://github.com/code-423n4/2024-04-panoptic/blob/833312ebd600665b577fbd9c03ffa0daf250ed24/contracts/CollateralTracker.sol#L531-L566
Vulnerability details
Description
Users (who previously deposited assets) can withdraw and redeem their
assets
via functionswithdraw()
orredeem()
at 1:1 ratio on a normal circumstance. Meaning, they are expecting an amount of at least equal to the amount that they have deposited.However there will be occasions where their
assets
"withdrawals / redemptions" might be less than what they originally deposited. That scenario happens when the vault experiences losses.redeem()
previewRedeem()
convertToAssets()
Looking at the math expression above
shares * totalAssets() / totalSupply()
, whentotalAssets()
decreases, the return value (assets
) also decreases.Here's a scenario where the losses happen:
redeem
the full amount and is expecting 1000 amount of assets in exchange of her 1000 shares.totalAssets()
dropped by 10% below the original ratio of 1:1.If only Alice knew that this will happen, she might have opted to wait until the assets goes back to at least 1:1 ratio to at least redeem back her original deposit amount. Without slippage protection, Alice has to suffer these losses.
This principle also applies to
withdraw()
but with a slight difference.In
redeem()
the input (fixed) amount ofshares
is exchanged withassets
. When losses occur, these fixed amount shares will produce lesser assets.In
withdraw()
the input (fixed) amount ofassets
will cause to burn more shares to get the same asset amount which also in itself a loss.withdraw()
previewWithdraw()
Looking at the math expression above
assets * supply / totalAssets()
, whentotalAssets()
decreases, the return value (shares
) increases pressuring to burn more shares.Impact
Without slippage protection on
redeem()
andwithdraw()
functions, users will lose funds in the event of vault loss that suddenly happens in the middle of theredeem / withdraw
transactions.Proof of Concept
Tools Used
Manual Review
Recommended Mitigation Steps
Implement a function with the same name
redeem / withdraw
(to still be compliant with ERC4626 but with different set of parameters) but add parametersminAssets
andmaxShares
respectively.For
redeem()
For
withdraw()
Assessed type
Other
The text was updated successfully, but these errors were encountered: