Submission Details
Severity:
Using totalSupply to track total deposit will lead to incorrect calculation when funds are deposited directly to the vault without calling deposit function
[M-4] Using totalSupply to track total deposit will lead to incorrect calculation when funds are deposited directly to the vault without calling deposit function
Description:
The protocol uses totalSupply to track total deposit, this will result in wrong calculation of deposit when a user deposit straight in the vault without calling deposit function
Impact:
leads to wrong calculation and tracking of users total deposit
Proof of Concept:
function calculateRaacRewards(address user) public view returns (uint256) {
uint256 userDeposit = userDeposits[user];
// @audit using total supply to calculate total deposit a user // can deposit without calling the deposit function
uint256 totalDeposits = deToken.totalSupply();
uint256 totalRewards = raacToken.balanceOf(address(this));
if (totalDeposits < 1e6) return 0;
return (totalRewards * userDeposit) / totalDeposits;
}
Recommended Mitigation:
Tracking total users deposit through a mapping or storage is advisable
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.