Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The _currentExchangeRate of the Vault contract can't increase, and always be lower than or equal to _assetUnit #443

Open
code423n4 opened this issue Jul 14, 2023 · 9 comments
Open

The _currentExchangeRate of the Vault contract can't increase, and always be lower than or equal to _assetUnit #443

code423n4 opened this issue Jul 14, 2023 · 9 comments
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working H-01 primary issue Highest quality submission among a set of duplicates satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L1168-L1187

Vulnerability details

Impact

The _currentExchangeRate of the Vault contract can not increase, and always be lower than or equal to _assetUnit. Therefore, when the vault is undercollateralized (_currentExchangeRate < _assetUnit), it can't be further collateralized.

Proof of concept

function _currentExchangeRate() internal view returns (uint256) {
    uint256 _totalSupplyAmount = _totalSupply();
    uint256 _totalSupplyToAssets = _convertToAssets(
      _totalSupplyAmount,
      _lastRecordedExchangeRate,
      Math.Rounding.Down
    );

    uint256 _withdrawableAssets = _yieldVault.maxWithdraw(address(this));

    if (_withdrawableAssets > _totalSupplyToAssets) {
      _withdrawableAssets = _withdrawableAssets - (_withdrawableAssets - _totalSupplyToAssets);
    }

    if (_totalSupplyAmount != 0 && _withdrawableAssets != 0) {
      return _withdrawableAssets.mulDiv(_assetUnit, _totalSupplyAmount, Math.Rounding.Down);
    }

    return _assetUnit;
  }

In case _totalSupplyAmount != 0 && _withdrawableAssets != 0, _currentExchangeRate function will return a value _withdrawableAssets * _assetUnit / _totalSupplyAmount.

However _withdrawableAssets can not exceed _totalSupplyToAssets, which is equal to _totalSupplyAmount * _lastRecordedExchangeRate / _assetUnit.

Therefore, _currentExchangeRate always be lower than or equal to _lastRecordedExchangeRate.

Testing:
Add this assert line and run forge test , all tests will passed.

if (_totalSupplyAmount != 0 && _withdrawableAssets != 0) {
  assert(_withdrawableAssets.mulDiv(_assetUnit, _totalSupplyAmount, Math.Rounding.Down) <= _assetUnit);
  return _withdrawableAssets.mulDiv(_assetUnit, _totalSupplyAmount, Math.Rounding.Down);
}

Tool used

Manual Review

Recommended Mitigation Steps

Remove these lines of code that limit the _withdrawableAssets

if (_withdrawableAssets > _totalSupplyToAssets) {
  _withdrawableAssets = _withdrawableAssets - (_withdrawableAssets - _totalSupplyToAssets);
}

Assessed type

Context
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Jul 14, 2023
code423n4 added a commit that referenced this issue Jul 14, 2023
@code423n4
KIntern_NA issue #443
da894b2
@c4-judge c4-judge added the primary issue Highest quality submission among a set of duplicates label Jul 18, 2023
@c4-judge
Copy link
Contributor

Picodes marked the issue as primary issue

@c4-judge c4-judge mentioned this issue Jul 18, 2023
Closed
@asselstine
Copy link

Hmm not sure about this one. Will mark as confirm and figure it out later

@c4-sponsor c4-sponsor added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Jul 20, 2023
@c4-sponsor
Copy link

asselstine marked the issue as sponsor confirmed

@Picodes
Copy link

Picodes commented Jul 29, 2023

@asselstine did you figure it out?
It seems to me that because of if (_withdrawableAssets > _convertToAssets(_totalSupplyAmount, _lastRecordedExchangeRate, Math.Rounding.Down)), the rate indeed can't increase which is a huge issue in case of a momentary undercollateralization.

@c4-judge
Copy link
Contributor

c4-judge commented Aug 5, 2023

Picodes marked the issue as satisfactory

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Aug 5, 2023
@Picodes Picodes mentioned this issue Aug 6, 2023
Closed
@c4-judge c4-judge added the selected for report This submission will be included/highlighted in the audit report label Aug 8, 2023
@c4-judge
Copy link
Contributor

c4-judge commented Aug 8, 2023

Picodes marked the issue as selected for report

@PierrickGT
Copy link
Member

@asselstine did you figure it out? It seems to me that because of if (_withdrawableAssets > _convertToAssets(_totalSupplyAmount, _lastRecordedExchangeRate, Math.Rounding.Down)), the rate indeed can't increase which is a huge issue in case of a momentary undercollateralization.

Indeed, the exchange rate should not be greater than 1 cause users should not be able to claim the yield that has accrued in the YieldVault.
That's why we have the following condition:

if (_withdrawableAssets > _totalSupplyToAssets) {
  _withdrawableAssets = _withdrawableAssets - (_withdrawableAssets - _totalSupplyToAssets);
}

We subtract the yield from the total amount, the yield being the difference between _withdrawableAssets and _totalSupplyToAssets.

If the YIeldVault becomes undercollateralized, users won't be able to deposit anymore but will be able to withdraw their share of the deposit and any yield that as accrued and has not been claimed yet will be shared proportionally amongst users.

@PierrickGT
Copy link
Member

The code has been improved and clarified in the following PR: GenerationSoftware/pt-v5-vault#13

@Picodes
Copy link

Picodes commented Aug 12, 2023

Keeping high severity here because of the issue in case of temporary under-collateralization.

@C4-Staff C4-Staff added the H-01 label Aug 15, 2023
@code423n4 code423n4 mentioned this issue Aug 22, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working H-01 primary issue Highest quality submission among a set of duplicates satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@PierrickGT @asselstine @Picodes @code423n4 @c4-judge @c4-sponsor @C4-Staff