Summary

An attacker can take advantage of the vault’s debt dynamics to gain an unfair share allocation. When the vault has a high level of debt, the share price decreases, enabling the attacker to mint an excessive number of shares for a minimal deposit. Once the debt is repaid, the share price returns to its normal level, allowing the attacker to redeem their shares for a significantly higher value, extracting substantial profits at the expense of the vault and its honest participants.

Impact

• Funds Drain: The attacker can drain funds from the vault, leading to significant losses for other depositors.

• System Insolvency: The vault may become insolvent, undermining trust in the protocol and causing long-term damage to its reputation.

https://github.com/Cyfrin/2025-01-zaros-part-2/blob/35deb3e92b2a32cd304bf61d27e6071ef36e446d/src/zlp/ZlpVault.sol#L190

https://github.com/Cyfrin/2025-01-zaros-part-2/blob/35deb3e92b2a32cd304bf61d27e6071ef36e446d/src/zlp/ZlpVault.sol#L172

Attack Scenario

1. Initial Vault State (Healthy)

2. Debt Increase

A malicious user monitors the protocol for opportunities to increase the vault's debt or actively participates in creating debt.

3. Attacker Deposits 1 Asset & Mints Shares

Using the share minting formula:
https://github.com/Cyfrin/2025-01-zaros-part-2/blob/35deb3e92b2a32cd304bf61d27e6071ef36e446d/src/market-making/branches/VaultRouterBranch.sol#L224

• With assetsIn = 1 and totalAssetsMinusVaultDebt = 1, the attacker mints:

  uint256 mintedShares = 1 * (1000 / 1); // 1000 shares

4. Debt Decrease

After a certain period, the vault's debt decreases.

5. Attacker Redeems Shares for Assets

Using the redemption formula:
https://github.com/Cyfrin/2025-01-zaros-part-2/blob/35deb3e92b2a32cd304bf61d27e6071ef36e446d/src/market-making/branches/VaultRouterBranch.sol#L178

• Redeeming 1000 shares:

  uint256 redeemedAssets = 1000 * (1000 / 2000); // 500 assets

• Final Profit: The attacker deposited 1 asset and redeemed 500 assets, netting a profit of 499 assets.

Root Cause

The vulnerability arises because the share minting and redemption formulas are directly influenced by totalAssetsMinusVaultDebt. When totalAssetsMinusVaultDebt is artificially reduced (due to inflated debt), the share price drops significantly, allowing attackers to mint an excessive number of shares. Once the debt is repaid, the share price increases, enabling the attacker to redeem their shares at a much higher value, resulting in substantial profits.

Recommendations

1. Follow the ERC-4626 Standard

The ERC-4626 tokenized vault standard provides a robust framework for share minting and redemption. Adhering to this standard ensures that share calculations are resistant to manipulation.

2. Exclude Debt from Share Minting Logic

Modify the share minting logic to exclude debt from the calculation. This ensures that users receive shares based on the total assets in the vault, regardless of the debt level.

It is recommended to track totalAssets virtually.

The share redeeming can still account for the debt.