Skip to content
This repository has been archived by the owner on Mar 3, 2024. It is now read-only.

BPZ - Users will experience a DOS when trying to deposit to a LMPVault that has its supplyLimit and walletLimit set to type(uint256).max values #465

Closed
sherlock-admin2 opened this issue Aug 29, 2023 · 1 comment
Closed

BPZ - Users will experience a DOS when trying to deposit to a LMPVault that has its supplyLimit and walletLimit set to type(uint256).max values #465

sherlock-admin2 opened this issue Aug 29, 2023 · 1 comment
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Aug 29, 2023
edited by Evert0x
Loading

BPZ

medium

Users will experience a DOS when trying to deposit to a LMPVault that has its supplyLimit and walletLimit set to type(uint256).max values

Summary

The deposit function of the LMPVault contract asserts that the amount of assets being deposited is not greater than the max deposit for the caller. However, because the _maxMint function will return the type(uint256).max value when both the supplyLimit and walletLimit are set to this value, this assertion will almost always revert when the supply is greater than 0 and totalAssets() / supply > 1 because the type(uint256).max will be provided to the _convertToAssets function as the shares parameter, leading to an over-flow error on the assets calculation.

Vulnerability Detail

The deposit function asserts that the assets parameter is not greater than the caller's max deposit. The maxDeposit function invokes the _maxMint function which will return the type(uint256).max value when both the supplyLimit and walletLimit are set to this value. This will cause the type(uint256).max value to be provided to the _convertToAssets function as the shares parameter. If the supply is then non-zero and totalAssets() / supply > 1, this calculation will almost always result in an over-flow error.

Impact

Users will experience a DOS when attempting to deposit to an LMPVault that has both its supplyLimit and walletLimit set to the type(uint256).max value.

Code Snippet

https://github.com/Tokemak/v2-core-audit-2023-07-14/blob/62445b8ee3365611534c96aef189642b721693bf/src/vault/LMPVault.sol#L337

https://github.com/Tokemak/v2-core-audit-2023-07-14/blob/62445b8ee3365611534c96aef189642b721693bf/src/vault/LMPVault.sol#L324

https://github.com/Tokemak/v2-core-audit-2023-07-14/blob/62445b8ee3365611534c96aef189642b721693bf/src/vault/LMPVault.sol#L936-L938

https://github.com/Tokemak/v2-core-audit-2023-07-14/blob/62445b8ee3365611534c96aef189642b721693bf/src/vault/LMPVault.sol#L315

https://github.com/Tokemak/v2-core-audit-2023-07-14/blob/62445b8ee3365611534c96aef189642b721693bf/src/vault/LMPVault.sol#L597

Tool used

Manual Review

Recommendation

It is recommended to refactor the maxDeposit function to return the type(uint256).max value if the _maxMint function returns this value. This can be implemented by refactoring the maxDeposit function as follows:

    function maxDeposit(address wallet) public view virtual override returns (uint256 maxAssets) {
        // @audit recommended mitigation
        uint256 maxMintAmount = _maxMint(wallet);
        maxAssets = maxMintAmount == type(uint256).max ? maxMintAmount : convertToAssets(maxMintAmount);
    }

Duplicate of #577
@github-actions github-actions bot added the Excluded Excluded by the judge without consulting the protocol or the senior label Sep 11, 2023
@sherlock-admin2
Copy link
Contributor Author

1 comment(s) were left on this issue during the judging contest.

Trumpero commented:

low, when totalSupplyLimit == perWalletLimit == uint256.max, it's correct that function deposit() is unable to use but the function mint() can be used instead by the users.
Furthermore, when this case happens, the admin can set the limit to another value to mitigate the issue --> No fund are at risk, and temporary DOS

@sherlock-admin sherlock-admin changed the title Steep Corduroy Anteater - Users will experience a DOS when trying to deposit to a LMPVault that has its supplyLimit and walletLimit set to type(uint256).max values BPZ - Users will experience a DOS when trying to deposit to a LMPVault that has its supplyLimit and walletLimit set to type(uint256).max values Oct 3, 2023
@sherlock-admin sherlock-admin added the Non-Reward This issue will not receive a payout label Oct 3, 2023
@nevillehuang nevillehuang mentioned this issue Oct 5, 2023
Closed
@Evert0x Evert0x mentioned this issue Oct 31, 2023
Open
@Evert0x Evert0x added the Medium A valid Medium severity issue label Oct 31, 2023
@sherlock-admin sherlock-admin added Reward A payout will be made for this issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label and removed Non-Reward This issue will not receive a payout Excluded Excluded by the judge without consulting the protocol or the senior labels Oct 31, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Evert0x @sherlock-admin @sherlock-admin2