First Flight #21: KittyFi

First Flight #21
Beginner FriendlyDeFiFoundry
100 EXP
View results
Submission Details
Severity: low
Valid

In `KittyPool` users collateral could potentially lock, leading to financial loss during the withdrew all the Collateral value form vault and tries to mint `kittyCoin` without deposit any Collateral.

Description: The KittyPool contract is assigned the role of allowing the user to withdraw their collateral. The KittyPool contract routes the call to the respective vault for deposit and withdrawal collateral which is created for every collateral token used in the protocol.

function whiskdrawMeowllateral(address _token, uint256 _ameownt) external tokenExists(_token) {
IKittyVault(tokenToVault[_token]).executeWhiskdrawal(msg.sender, _ameownt);
require(_hasEnoughMeowllateral(msg.sender), KittyPool__NotEnoughMeowllateralPurrrr());
}

However, users get a panic error when withdrawing all the Collateral value from the vault and When users try to mint kittyCoin without depositing any Collateral.

ERROR:

Failing tests:
Encountered 1 failing test in test/KittyFiPoc.t.sol:KittyFiPoc
[FAIL. Reason: panic: division or modulo by zero (0x12)] test_CanUserWithdrewAllCollateral() (gas: 248302)

It's happening because of one of his inner functions.

function getUserMeowllateral(address _user) public view returns (uint256) {
uint256 totalMeowllateralOfVault = getTotalMeowllateral();
return userToCattyNip[_user].mulDiv(totalMeowllateralOfVault, totalCattyNip);
}

Impact: A panic with the reason "division or modulo by zero" (error code 0x12) indicates that the contract code attempted to divide by zero, which is a critical runtime error in Solidity. This type of error can break the protocol and cause it to behave unexpectedly or fail entirely.

Proof Of Concept:

Proof of Concept (foundry test)
  1. This is happening because a user tries to withdraw all his collateral and the contract has 0 balance to prevent this we need to add some collateral in the contract beforehand or check recommendations.

function test_CanUserWithdrewAllCollateral() public {
uint256 depositAmount = 5 ether;
uint256 withdrewAmount = 5 ether;
vm.startPrank(user);
// Deposit the collateral
vm.startPrank(user);
IERC20(weth).approve(address(wethVault), depositAmount);
kittyPool.depawsitMeowllateral(weth, depositAmount);
// note: unComment me if you do not want to get an error
// address user2 = makeAddr("user2");
// deal(weth, user2, AMOUNT);
// vm.startPrank(user2);
// IERC20(weth).approve(address(wethVault), depositAmount);
// kittyPool.depawsitMeowllateral(weth, depositAmount);
// assertEq(wethVault.getUserMeowllateral(user), depositAmount);
// vm.stopPrank();
// User want to withdrew all amount but unable to withdrew
kittyPool.whiskdrawMeowllateral(weth, withdrewAmount);
vm.stopPrank();
}
  1. This causes a panic error when the contract has 0 collateral and a user tries to mint kittyCoin without depositing any collateral.

function test_UserFundStuctInContract() public {
uint256 amountToMint = 20e18;
address attacker = makeAddr("attacker");
//An attacker tries to mint kittyCoin without depositing any collateral
// and also KittyPool does'nt have any collateral
vm.startPrank(attacker);
vm.expectRevert( "total Meowllateral is zero");
kittyPool.meowintKittyCoin(amountToMint);
vm.stopPrank();
}

Tools Used:

Manual Review
Foundry

Recommendations:

We need to adjust the logic in KittyVault::getUserMeowllateral

function getUserMeowllateral(address _user) public view returns (uint256) {
uint256 totalMeowllateralOfVault = getTotalMeowllateral();
+ require(totalMeowllateralOfVault > 0, "total Meowllateral is zero");
return userToCattyNip[_user].mulDiv(totalMeowllateralOfVault, totalCattyNip);
}
Updates

Lead Judging Commences

shikhar229169 Lead Judge
11 months ago
shikhar229169 Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

totalCattyNip being 0 makes getUserMeowllateral to revert causing dependent functions to revert

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.