L2ContractMigrationFacet::redeemDepositsAndInternalBalances - silo's deposited and depositedBdv balances corresponding to particular token is set to 0
Summary
In L2ContractMigrationFacet::redeemDepositsAndInternalBalances when deposits and bean-asset internal balances are redeemed onto L2 address then while updating deposits to reciever's address global states storing silo's deposited and depositedBdv balances corresponding to particular token is set to 0.
Vulnerability Details
Inside L2ContractMigrationFacet::redeemDepositsAndInternalBalances addMigratedDepositsToAccount is called to increment account's stalk.
Inside function addMigratedDepositsToAccount local variables totalDeposited and totalDepositedBdv are used to update global states storing silo's deposited and depositedBdv balances corresponding to particular token but these local variables hold their default values only which will be set to global states.
Impact
Setting Global state corresponding to silo token's balances (deposited and depositedBdv) to 0 will severly impact the system's accounting and all other account's holding that token.
Tools Used
Manual review
Recommendations
properly update global sates.
Lead Judging Commences
`addMigratedDepositsToAccount` Function doesn't properly aggregate the totalDeposited and totalDepositBdved
Appeal created
`addMigratedDepositsToAccount` Function doesn't properly aggregate the totalDeposited and totalDepositBdved
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.