Vault does not conform to ERC4626. #43
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-501
grade-c
partial-25
Incomplete articulation of vulnerability; eligible for partial credit only (25%)
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
🤖_43_group
AI based duplicate group recommendation
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Lines of code
https://github.com/code-423n4/2024-04-panoptic/blob/833312ebd600665b577fbd9c03ffa0daf250ed24/contracts/CollateralTracker.sol#L392-L394
https://github.com/code-423n4/2024-04-panoptic/blob/833312ebd600665b577fbd9c03ffa0daf250ed24/contracts/CollateralTracker.sol#L444-L448
Vulnerability details
Impact
Vault does not conform to ERC4626 which may break external integrations.
Proof of Concept
The ERC4626 specification states that maxDeposit MUST return the maximum amount of assets deposit would allow to be deposited for receiver and not cause a revert, which MUST NOT be higher than the actual maximum that would be accepted.
Similarly, maxMint MUST return the maximum amount of shares mint would allow to be deposited to receiver and not cause a revert, which MUST NOT be higher than the actual maximum that would be accepted.
CollateralTracker.sol#L392-L394
CollateralTracker.sol#L444-L448
The CollateralTracker contract is an ERC4626 vault. This means that maxDeposit and maxMint of the CollateralTracker Vault must conform to the maxDeposit and maxMint of ERC4626 vaults as stated in the ERC4626 specification. The vulnerability is similar to PoolTogether M-23 where the vault does not conform to ERC4626.
Tools Used
Manual review, ERC4626 Tokenized Vaults
Recommended Mitigation Steps
Replace the implementation of the vault's maxDeposit and maxMint functions to be ERC4626 compliant.
Assessed type
ERC4626
The text was updated successfully, but these errors were encountered: