-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CollateralTracker is not EIP4626 compliant: maxMint
is calculated to be too large
#501
Comments
Picodes marked the issue as duplicate of #553 |
Picodes marked the issue as satisfactory |
Picodes marked the issue as selected for report |
This is a good point and we will fix, but not sure it fulfills Medium severity given the lack of impact (& CollateralTracker is not on the compliance checklist). The only impact of this is that if, for some reason, users attempt to mint with the result of Even if |
Hello Judge, in case this remains as medium, I'd like to ask this finding from my QA report to be marked as a duplicate of this report. In that finding, I explained the same issue reported in this report. |
As the contract is not in the compliance checklist, the argument for med "broken functionality", the functionality being the compliance to the EIP doesn't hold, so QA is more appropriate. |
Picodes changed the severity to QA (Quality Assurance) |
Picodes marked the issue as not selected for report |
Lines of code
https://github.com/code-423n4/2024-04-panoptic/blob/main/contracts/CollateralTracker.sol#L444-L448
Vulnerability details
Impact
CollateralTracker is not EIP4626 compliant. Specifically, the
maxMint
is calculated to be too large, and users will fail minting the sharesmaxMint
returns.Bug Description
First, let's quote the EIP4626 doc https://eips.ethereum.org/EIPS/eip-4626:
The
maxMint
value should never be overestimated, and user should always be able to mint the amount of assetsmaxMint
returns.However, this is not the case for CollateralTracker. For CollateralTracker, and the share to mint formula (by
previewMint
) is:assets = shares * DECIMALS * totalAssets / (totalSupply * (DECIMALS - COMMISSION_FEE))
.From which we can derive
shares = assets * (totalSupply * (DECIMALS - COMMISSION_FEE)) / (totalAssets * DECIMALS)
, and given the maximum assets isuint104.max
, the correct maximum shares (maxMint) should beconvertToShares(type(uint104).max * (DECIMALS - COMMISSION_FEE)) / DECIMALS
which is smaller than the currentmaxMint()
.Proof of Concept
Add the following test code in
CollateralTracker.t.sol
. See that we try to mintmaxMint()
even with a 1e18 buffer, but it still fails.Tools Used
Foundry
Recommended Mitigation Steps
Use
convertToShares(type(uint104).max * (DECIMALS - COMMISSION_FEE)) / DECIMALS
formaxMint
function.Assessed type
Other
The text was updated successfully, but these errors were encountered: