Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

eeyore - In Vault.calculateStack() function the ratiosX96Value value is rounded down #128

Closed
sherlock-admin2 opened this issue Jun 27, 2024 · 0 comments
Closed

eeyore - In Vault.calculateStack() function the ratiosX96Value value is rounded down #128

sherlock-admin2 opened this issue Jun 27, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin2
Copy link

sherlock-admin2 commented Jun 27, 2024
edited by sherlock-admin3
Loading

eeyore

Medium

In Vault.calculateStack() function the ratiosX96Value value is rounded down

Summary

The ratiosX96Value calculations are rounded in a way that is unfavorable to the protocol.

Vulnerability Detail

The ratiosX96Value is used as a denominator for calculations of user withdrawal amounts and, as such, should always be rounded in a way that is favorable to the protocol, in this case, up.

Impact

Withdrawal values will be rounded in favor of the user.

Code Snippet

https://github.com/sherlock-audit/2024-06-mellow/blob/main/mellow-lrt/src/Vault.sol#L530
https://github.com/sherlock-audit/2024-06-mellow/blob/main/mellow-lrt/src/Vault.sol#L487
https://github.com/sherlock-audit/2024-06-mellow/blob/main/mellow-lrt/src/Vault.sol#L495

Tool used

Manual Review

Recommendation

When calculating ratiosX96Value, use rounding up:

        for (uint256 i = 0; i < tokens.length; i++) {
            uint256 priceX96 = priceOracle.priceX96(address(this), tokens[i]);
            s.totalValue += FullMath.mulDiv(amounts[i], priceX96, Q96);
-           s.ratiosX96Value += FullMath.mulDiv(s.ratiosX96[i], priceX96, Q96);
+           s.ratiosX96Value += FullMath.mulDivRoundingUp(s.ratiosX96[i], priceX96, Q96);
            s.erc20Balances[i] = IERC20(tokens[i]).balanceOf(address(this));
        }

Duplicate of #61
@sherlock-admin3 sherlock-admin3 changed the title Bitter Jetblack Finch - Consequent transfers of stETH, will result in DoS In Vault.calculateStack() function the ratiosX96Value value is rounded down Jun 28, 2024
@sherlock-admin3 sherlock-admin3 added the Sponsor Confirmed The sponsor acknowledged this issue is valid label Jun 30, 2024
@github-actions github-actions bot changed the title In Vault.calculateStack() function the ratiosX96Value value is rounded down Square Mint Ape - In Vault.calculateStack() function the ratiosX96Value value is rounded down Jul 6, 2024
@github-actions github-actions bot closed this as completed Jul 6, 2024
@github-actions github-actions bot added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Jul 6, 2024
@sherlock-admin3 sherlock-admin3 added Will Fix The sponsor confirmed this issue will be fixed and removed Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels Jul 8, 2024
@sherlock-admin3 sherlock-admin3 changed the title Square Mint Ape - In Vault.calculateStack() function the ratiosX96Value value is rounded down eeyore - In Vault.calculateStack() function the ratiosX96Value value is rounded down Jul 15, 2024
@sherlock-admin3 sherlock-admin3 added the Reward A payout will be made for this issue label Jul 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin2 @sherlock-admin3