Summary

The oracle price calculation functions assume that vault parameters—particularly the total supply—are nonzero. In the edge case where the vault is empty, divisions could occur with a zero denominator. Occurs only in the edge case of an empty vault, leading primarily to a denial-of-service scenario rather than direct funds loss.

Vulnerability Details

-Price calculation functions (e.g. in raw_price, price_v0, etc.) use vault state values (like total supply) as divisors without explicitly checking if they are zero.

-If no deposits exist in the vault, a division by zero may occur, leading to a revert or unintended behavior.

Elaboration

In the edge case where the vault is empty, divisions could occur with a zero denominator, leading to a division by zero error, causing a denial of service.​

Proof of Concept (PoC):

An attacker or user calls the raw_price function when the vault's total_supply is zero, leading to a division by zero error.​

In this PoC, when total_supply is zero, calling the raw_price function results in a division by zero, causing the contract to throw an exception and potentially disrupting the protocol's operations.

Impact

-An empty vault could cause the oracle to fail in updating or providing a price, potentially resulting in a denial of service.

-Dependent contracts or liquidity pools relying on the oracle may receive inaccurate pricing data.

Tools Used

-Manual Code Review

-Edge-case analysis based on known ERC4626 patterns and Solodit Checklist best practices

-Chat GPT o3-mini-high

Recommendations

-Add explicit checks in all price calculation functions to detect if the vault’s total supply is zero.

-In such cases, either return a safe default (e.g. the last known lower-bound price) or revert with a clear error message.

-This ensures that division-by-zero errors are prevented and that the oracle behaves predictably in edge scenarios.