Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No slippage check during withdraw/deposit #451

Open
c4-bot-2 opened this issue Mar 15, 2024 · 6 comments
Open

No slippage check during withdraw/deposit #451

c4-bot-2 opened this issue Mar 15, 2024 · 6 comments
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-281 grade-b Q-05 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax 🤖_143_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality

Comments

@c4-bot-2
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2024-03-revert-lend/blob/main/src/V3Vault.sol#L877-#L917
https://github.com/code-423n4/2024-03-revert-lend/blob/main/src/V3Vault.sol#L920-#L952

Vulnerability details

Vulnerability details

The deposit/withdraw function in the V3Vault lacks a mechanism for users to express their minimum acceptable output. This deficiency exposes users to potential losses of their principal due to update of the rate

In the _deposit() function, amount and shares is directly converted to the other by calling _convertToAssets/_convertToShares() function, and it is rely on newLendExchangeRateX96. The update of newLendExchangeRateX96 can make user receive less shares/cost more amounts than they expected. This thing is similar in _withdraw() function. This scenario also can happen when user attempts to withdraw/deposit assets and their transaction is delayed due to low gas cost/network issue/reorg/ ..., which harming user

Impact

Users will loss assets due to the absence of slippage control in the withdraw/deposit function.

Tools Used

Manual review

Recommended Mitigation Steps

Add slippage checking when deposit/withdraw assets

Assessed type

Other
@c4-bot-2 c4-bot-2 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Mar 15, 2024
c4-bot-10 added a commit that referenced this issue Mar 15, 2024
@c4-bot-10
grearlake issue #451
fb33df8
@c4-bot-11 c4-bot-11 added the 🤖_143_group AI based duplicate group recommendation label Mar 15, 2024
@c4-pre-sort c4-pre-sort added the sufficient quality report This report is of sufficient quality label Mar 18, 2024
@c4-pre-sort
Copy link

0xEVom marked the issue as sufficient quality report

@c4-pre-sort
Copy link

0xEVom marked the issue as duplicate of #281

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Mar 31, 2024
@c4-judge
Copy link

jhsagd76 changed the severity to QA (Quality Assurance)

@c4-judge
Copy link

c4-judge commented Apr 1, 2024

jhsagd76 marked the issue as grade-b

@c4-judge c4-judge reopened this Apr 3, 2024
@c4-judge
Copy link

c4-judge commented Apr 3, 2024

This previously downgraded issue has been upgraded by jhsagd76

@c4-judge c4-judge added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value and removed downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels Apr 3, 2024
@c4-judge
Copy link

c4-judge commented Apr 3, 2024

jhsagd76 changed the severity to QA (Quality Assurance)

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Apr 3, 2024
@C4-Staff C4-Staff added the Q-05 label Apr 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-281 grade-b Q-05 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax 🤖_143_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@c4-judge @c4-pre-sort @C4-Staff @c4-bot-2 @c4-bot-11