-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
maxMint()
violates EIP-4626
#553
Comments
Picodes marked the issue as primary issue |
This is correct but EIP-4626 is not listed in the compliance requirements, so unsure whether Medium or Low severity would be most appropriate (the impact of this is very limited given that it is only an issue in the |
Picodes marked the issue as satisfactory |
Picodes marked the issue as selected for report |
Picodes marked issue #501 as primary and marked this issue as a duplicate of 501 |
Picodes changed the severity to QA (Quality Assurance) |
Picodes marked the issue as grade-b |
Lines of code
https://github.com/code-423n4/2024-04-panoptic/blob/833312ebd600665b577fbd9c03ffa0daf250ed24/contracts/CollateralTracker.sol#L446
Vulnerability details
Impact
CollateralTracker.maxMint()
is incorrect and violates EIP-4626.Proof of Concept
In CollateralTracker.sol
whereas
mint()
is only limited bywhere
previewMint()
isThis means that
maxMint()
should rather returntype(uint104).max * totalSupply * (DECIMALS - COMMISSION_FEE) / (totalAssets() * DECIMALS)
.There are several errors in the original
maxMint()
: the+
inDECIMALS + COMMISSION_FEE
, the inversion ofDECIMALS / (DECIMALS - COMMISSION_FEE)
, and the use ofconvertToShares()
. The latter causes a rounding error from a multiplication on a division.CollateralTracker is an ERC4626 vault. Since
DECIMALS / (DECIMALS + COMMISSION_FEE) > (DECIMALS - COMMISSION_FEE) / DECIMALS
maxMint()
returns too much. This can also be seen in the test case below which on the current code reverts due toDepositTooLarge()
. This means thatmaxMint()
violates "MUST NOT be higher than the actual maximum that would be accepted (it should underestimate if necessary)".Paste the below test case into CollateralTracker.t.sol and run with
forge test --match-test test_maxMint
. This test should pass. It fails with the current code, but passes with the recommended fix below.Recommended Mitigation
Assessed type
ERC4626
The text was updated successfully, but these errors were encountered: