Part 2
Zaros
PerpetualsDEXFoundrySolidity
70,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Mismatched slippage precision during deposit results in incorrect assertion of min-shares minted

tigerfrake

Summary

The deposit() function in the VaultRouterBranch contract may incorrectly validate the minimum shares (minShares) due to a mismatch in decimal representations. While minShares is expected to be in 18 decimals, the shares obtained from the vault may have a different decimal format. This discrepancy can lead to erroneous comparisons.

Vulnerability Details

In the deposit() function, users can specify a minShares parameter, which represents the minimum amount of index tokens (shares) they expect to receive from the deposit. The comment in the code states that this value is in 18 decimals.

>> /// @param minShares The minimum amount of index tokens to receive in 18 decimals.
function deposit(
uint128 vaultId,
uint128 assets,
>> uint128 minShares,
bytes memory referralCode,
bool isCustomReferralCode
)

When a user deposits assets into a vault, the function calculates the number of shares obtained from the deposit.

ctx.shares = IERC4626(indexTokenCache).deposit(ctx.assetsMinusFees, msg.sender);

However, the number of shares returned may not necessarily be in 18 decimals. The actual decimal representation of these shares depends on the specific token's configuration (in this case, the vault.indexToken).

The function then proceeds to validate these calculated shares as follows:

if (ctx.shares < minShares) revert Errors.SlippageCheckFailed(minShares, ctx.shares);

Impact

If the shares obtained from the deposit are in a different decimal format (e.g., 6 decimals) than the minShares (which is expected to be in 18 decimals), the comparison between ctx.shares and minShares will be incorrect. For instance, if minShares is set to 100e18 (100 tokens in 18 decimals) but the obtained shares are in 6 decimals, this would lead to incorrect comparison.

Tools Used

Manual Review

Recommendations

Ensure that both values being compared are in the same decimal format. Converting the obtained shares (ctx.shares) to 18 decimals before performing the comparison with minShares.

// Shares calculated
ctx.shares = IERC4626(indexTokenCache).deposit(ctx.assetsMinusFees, msg.sender);
// Convert ctx.shares to 18 decimals for comparison
+ uint128 sharesIn18Decimals =
+ Math.convertTokenAmountToUd60x18(IERC20Metadata(vault.indexToken).decimals(), ctx.shares).intoUint128();
// assert min shares minted
- if (ctx.shares < minShares) revert Errors.SlippageCheckFailed(minShares, ctx.shares);
+ if (sharesIn18Decimals < minShares) revert Errors.SlippageCheckFailed(minShares, ctx.shares);
Updates

Lead Judging Commences

inallhonesty Lead Judge 9 months ago
Submission Judgement Published
Validated
Assigned finding tags:

The `deposit()` function in the `VaultRouterBranch` contract may incorrectly validate the minimum shares (`minShares`) due to a mismatch in `decimal` representations.

Appeal created

hard1k Auditor
9 months ago
inallhonesty Lead Judge
9 months ago
inallhonesty Lead Judge 9 months ago
Submission Judgement Published
Validated
Assigned finding tags:

The `deposit()` function in the `VaultRouterBranch` contract may incorrectly validate the minimum shares (`minShares`) due to a mismatch in `decimal` representations.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.