Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lack of overflow validation allows manipulation of s_poolAssets leading to incorrect totalAssets calculation #30

Open
howlbot-integration bot opened this issue Jun 11, 2024 · 4 comments
Open

Lack of overflow validation allows manipulation of s_poolAssets leading to incorrect totalAssets calculation #30

howlbot-integration bot opened this issue Jun 11, 2024 · 4 comments
Labels
1st place bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-38 grade-b Q-02 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax 🤖_04_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality

Comments

@howlbot-integration
Copy link

Lines of code

https://github.com/code-423n4/2024-06-panoptic/blob/main/contracts/CollateralTracker.sol#L578

Vulnerability details

Impact

The lack of overflow validation allows s_poolAssets to be manipulated.
Once overflow occurs, totalAssets can be set higher than the actual collaterals, preventing other users from withdrawing their own collateral due to the incorrect totalAssets.

Proof of Concept

totalAssets is calculated as the sum of s_poolAssets and s_inAMM.

shares = assets * totalSupply / totalAssets()
assets = shares / totalSupply * (s_poolAssets + s_inAMM)

If a user owns 50% of the totalShares, their withdrawal assets are calculated as:

assets = 0.5 * (s_poolAssets + s_inAMM)

If s_inAMM is significantly larger than s_poolAssets, the calculated assets can exceed s_poolAssets, leading to an overflow of s_poolAssets.

assets = 0.5 * (s_poolAssets + s_poolAssets + x)

s_poolAssets and s_inAMM are calculated in the takeCommissionAddData function.

File: https://github.com/code-423n4/2024-06-panoptic/blob/main/contracts/CollateralTracker.sol#L578
    function withdraw(
        uint256 assets,
        address receiver,
        address owner,
        TokenId[] calldata positionIdList
    ) external returns (uint256 shares) {
        shares = previewWithdraw(assets);

        // check/update allowance for approved withdraw
        if (msg.sender != owner) {
            uint256 allowed = allowance[owner][msg.sender]; // Saves gas for limited approvals.

            if (allowed != type(uint256).max) allowance[owner][msg.sender] = allowed - shares;
        }

        // burn collateral shares of the Panoptic Pool funds (this ERC20 token)
        _burn(owner, shares);

        // update tracked asset balance
        unchecked {
            s_poolAssets -= uint128(assets); // @audit assets can be larger than s_poolAssets?
        }
        ...
    }

Tools Used

Manual review

Recommended Mitigation Steps

Add overflow validation or remove the unchecked to prevent manipulation of s_poolAssets.

    function withdraw(
        uint256 assets,
        address receiver,
        address owner,
        TokenId[] calldata positionIdList
    ) external returns (uint256 shares) {
+        if (assets > s_poolAssets) revert Errors.ExceedsMaximumRedemption();
        shares = previewWithdraw(assets);
        ...
    }

Assessed type

Under/Overflow
@howlbot-integration howlbot-integration bot added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value 🤖_04_group AI based duplicate group recommendation bug Something isn't working primary issue Highest quality submission among a set of duplicates sufficient quality report This report is of sufficient quality labels Jun 11, 2024
howlbot-integration bot added a commit that referenced this issue Jun 11, 2024
@howlbot-integration
bigtone issue #30
bf53fb7
@c4-judge
Copy link

Picodes marked the issue as duplicate of #38

@c4-judge c4-judge added duplicate-38 and removed primary issue Highest quality submission among a set of duplicates labels Jun 13, 2024
@c4-judge
Copy link

Picodes changed the severity to QA (Quality Assurance)

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Jun 13, 2024
@c4-judge
Copy link

Picodes marked the issue as grade-b

@liveactionllama
Copy link
Contributor

Per direction from the judge, staff have marked as 1st place. Also noting there was a tie for 1st/2nd place.

@C4-Staff C4-Staff reopened this Jun 20, 2024
@C4-Staff C4-Staff added the Q-02 label Jun 20, 2024
@stalinMacias stalinMacias mentioned this issue Jun 20, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1st place bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-38 grade-b Q-02 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax 🤖_04_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@liveactionllama @c4-judge @C4-Staff