MaxLimit is not implemented in minting #513
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-501
grade-b
Q-10
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
🤖_61_group
AI based duplicate group recommendation
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2024-04-panoptic/blob/main/contracts/CollateralTracker.sol#L480
Vulnerability details
Impact
The maxMint function, which is intended to limit the amount of shares that can be minted based on the total supply of shares and the current pool utilization. The absence of the proper use for maxMint could lead to scenarios where users are able to mint more shares than intended, potentially leading to imbalances in the system or even allowing for the minting of an excessive number of shares beyond the protocol's limits. This does have low impact in imbalance of tokens in the system but high possibility.
Proof of Concept
https://github.com/code-423n4/2024-04-panoptic/blob/main/contracts/CollateralTracker.sol#L480
type(uint104).max > [assets to be minted] > maxMint
and type(uint104).max * totalSupply/totalAssets *dec/(dec+fee) <= maxMint
so for totalSupply <= totalAssets,
we can say maxMint < type(uint104).max
then the first can be true at any time
Tools Used
Manual Review
Recommended Mitigation Steps
The function should ensure that the maximum number of shares that can be minted does not exceed the protocol's set limits, as defined by
maxMint
Assessed type
Other
The text was updated successfully, but these errors were encountered: