Incorrect Shares Distribution When totalAmountBefore == 0
Summary
The contract attempts to prevent division by zero by setting totalAmountBefore = 1 when totalAmountBefore == 0. However, this results in incorrect share allocation, allowing a new depositor to receive an unfairly high number of shares, potentially claiming all existing shares for free.
Vulnerability Details
In the code it calculates
totalAmountBeforebased on existing contract balance.Checks if
totalAmountBefore == 0if ture, sets
totalAmountBefore = 1to prevent division by zero
EXPLOIT SCENARIO
totalShares= 1,000,000totalAmountBefore = 0(No active position or collateral)A user notices that
totalAmountBefore ==0and prepares an exploit
Depositor A deposits 1 token.(assume minimum deposit, get to know that irrespective of the minimum deposit set this will still be exploited).
Contract setstotalAmountBefore = 1to avoid division by zero
Shares calculation
Depositor A now owns 100% of the total shares
If another user deposits later they get minimal shares.
Impact
A single malicious users can seize all contract shares
A new deposit gets an unfairly large number of shares
An attacker can monitor for
tpotalAmountBefore == 0and steal all existing shares with a small deposit.
Tools Used
Manual Review
Recommendations
Lead Judging Commences
invalid_totalAmountBefore_is_1_incorrect_calculation_supposition
No proof when this can happen: Most of the time totalAmountBefore equals 0 (balance minus amount sent), it means totalShares equals 0. If it could happen with very specific conditions, report with that tag didn't add the needed details to be validated.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.