An early depositor can manipulate the shares price to profit from any future deposits #209
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-848
grade-b
partial-25
Incomplete articulation of vulnerability; eligible for partial credit only (25%)
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Comments
code423n4
added
3 (High Risk)
|
trust1995 marked the issue as duplicate of #848 |
|
trust1995 marked the issue as partial-25 |
c4-judge
added
the
partial-25
c4-judge
added
downgraded by judge
|
trust1995 changed the severity to QA (Quality Assurance) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2023-02-ethos/blob/73687f32b934c9d697b97745356cdf8a1f264955/Ethos-Vault/contracts/ReaperVaultV2.sol#L331-L335
Vulnerability details
Impact
A well known attack vector for almost all shares based liquidity pool contracts, where an early user can manipulate the price per share and profit from late users' deposits because of the precision loss caused by the rather large value of price per share.
Proof of Concept
Refer the link for similar kind of attack vector.
https://github.com/sherlock-audit/2022-10-mycelium-judging#issue-h-1-attacker-can-manipulate-the-pricepershare-to-profit-from-future-users-deposits
Tools Used
Manual Review
Recommended Mitigation Steps
Mentioned into the link.
The text was updated successfully, but these errors were encountered: