Lack of overflow validation allows manipulation of s_poolAssets leading to incorrect totalAssets calculation #30
Labels
1st place
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-38
grade-b
Q-02
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
🤖_04_group
AI based duplicate group recommendation
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2024-06-panoptic/blob/main/contracts/CollateralTracker.sol#L578
Vulnerability details
Impact
The lack of overflow validation allows s_poolAssets to be manipulated.
Once overflow occurs, totalAssets can be set higher than the actual collaterals, preventing other users from withdrawing their own collateral due to the incorrect totalAssets.
Proof of Concept
totalAssets
is calculated as the sum ofs_poolAssets
ands_inAMM
.If a user owns 50% of the
totalShares
, their withdrawal assets are calculated as:If
s_inAMM
is significantly larger thans_poolAssets
, the calculated assets can exceeds_poolAssets
, leading to an overflow ofs_poolAssets
.s_poolAssets
ands_inAMM
are calculated in thetakeCommissionAddData
function.Tools Used
Manual review
Recommended Mitigation Steps
Add overflow validation or remove the unchecked to prevent manipulation of s_poolAssets.
function withdraw( uint256 assets, address receiver, address owner, TokenId[] calldata positionIdList ) external returns (uint256 shares) { + if (assets > s_poolAssets) revert Errors.ExceedsMaximumRedemption(); shares = previewWithdraw(assets); ... }
Assessed type
Under/Overflow
The text was updated successfully, but these errors were encountered: