You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Oct 1, 2023. It is now read-only.
sherlock-admin opened this issue
Mar 27, 2023
· 0 comments
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
Users lose profit in mintRollovers from incorrect variable used
Summary
If users win an epoch, they are credited entitledShares which is greater than queueItem.assets, but assetsToMint uses the latter instead, resulting in the difference being unaccounted for / lost.
Vulnerability Detail
Minting rollovers only happen if the user won an epoch, where entitledShares is expected to be greater than queueItem.assets.
uint256 entitledShares =previewWithdraw(
queueItem.epochId,
queueItem.assets
);
// mint only if user won epoch he is rolling overif (entitledShares > queueItem.assets) {
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
hickuphh3
high
Users lose profit in
mintRollovers
from incorrect variable usedSummary
If users win an epoch, they are credited
entitledShares
which is greater thanqueueItem.assets
, butassetsToMint
uses the latter instead, resulting in the difference being unaccounted for / lost.Vulnerability Detail
Minting rollovers only happen if the user won an epoch, where
entitledShares
is expected to be greater thanqueueItem.assets
.However, the
assetsToMint
is calculated aswhere
queueItem.assets
is used instead ofentitledShares
. The differenceentitledShares - queueItem.assets
is therefore unaccounted for.Impact
Users' profits are lost.
Code Snippet
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L396-L401
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L436-L437
Tool used
Manual Review
Recommendation
Technically, the same change can be applied for the minimum relayer fee check too:
Duplicate of #163
The text was updated successfully, but these errors were encountered: