Part 2

Summary

The deposit function does not enforce that the calculated shares (currentShares) meet the minimum requirement (minShares). This allows the function to proceed even when the calculated shares are zero, violating the user's expectation of receiving at least minShares. The issue likely stems from incorrect share calculation logic or insufficient validation checks in the deposit function.

Vulnerability Details

/VaultRouterBranch.sol/deposit

deposit function in the VaultRouterBranch.sol contract does not enforce that the calculated shares (currentShares) meet the minimum requirement (minShares). This allows the function to proceed even when the calculated shares are zero, violating the user's expectation of receiving at least minShares.

• Scenario: A user deposits a small amount of assets (assets = 1) into a vault with a minimum share requirement (minShares = 1).

• Flow:

  1. The deposit function is called with vaultId=1, assets=1, minShares=1, referralCode=0x, and isCustom=false.

  2. The function fails to mint any shares (currentShares = 0).

  3. The transaction reverts due to the violation of the assertion currentShares >= minShares.

• Variables:

  • Pre-Deposit: assets = 1, minShares = 1, totalDeposits = 0

  • Post-Deposit: currentShares = 0 (expected currentShares >= 1), totalDeposits = 0 (unchanged)

Root Cause

The issue stems from incorrect share calculation logic or insufficient validation checks in the deposit function. The function does not ensure that the calculated shares meet the minimum requirement (minShares), allowing the transaction to proceed even when the calculated shares are zero.

Impact

Users may lose funds or fail to receive the expected shares when depositing assets

Tools Used

Vs

Recommendations

Add a validation check in the deposit function to ensure currentShares >= minShares before proceeding with the deposit