Arbitrary staking/deposit on a arbitrary token with an arbitrary amount has no checks to ensure token amount isn't type(uint256).max thus allowing wrong stake amount for certain tokens with custom logic such as cUSDCv3
Summary
Certain tokens such as cUSDCv3 have transfer logic where when a transfer takes place their transfer functionality checks if the 'amount' to be transferred is type(uint256).max, if this is the case the balance of the sender is transferred. So if a user has a dust amount cUSDCv3 attempts to stake/deposit amount 'type(uint256).max' in this protocol, the actual transfer amount will be procesed as the user's total balance of that token, not type(uint256).max. Thus the staking function will register/queue the stake as type(uint256).max but in actuality only cUSDCv3.balanceOf(msg.sender) will have been transferred.
Vulnerability Details
function deposit(uint256 _amount) external override onlyVaultController {
trackedTotalDeposits += SafeCast.toUint128(_amount);
token.safeTransferFrom(msg.sender, address(this), _amount);
IERC677(address(token)).transferAndCall(address(stakeController), _amount, "");
}
Impact
Tools Used
Recommendations
This can cause serious discrepancies with the protocol's intended logic. To remedy this, there can be a check to prevent users from passing type(uint256).max as the stake/deposit amount.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.