Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

X12 - ratiosX96Value rounds in favor of user and not vault #61

Open
sherlock-admin2 opened this issue Jun 27, 2024 · 3 comments
Open

X12 - ratiosX96Value rounds in favor of user and not vault #61

sherlock-admin2 opened this issue Jun 27, 2024 · 3 comments
Labels
Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@sherlock-admin2
Copy link

sherlock-admin2 commented Jun 27, 2024
edited by sherlock-admin3
Loading

X12

Medium

ratiosX96Value rounds in favor of user and not vault

Summary

ratiosX96Value is rounded down instead of up, causing withdrawals to favor users. This can slowly decrease the value in our vault, potentially leading to insolvency.

Vulnerability Detail

ratiosX96Value, calculated in calculateStack,

s.ratiosX96Value += FullMath.mulDiv(s.ratiosX96[i], priceX96, Q96);

is used as a denominator inside analyzeRequest to calculate coefficientX96 and the user's expectedAmounts.

uint256 value = FullMath.mulDiv(lpAmount, s.totalValue, s.totalSupply);
value = FullMath.mulDiv(value, D9 - s.feeD9, D9);
uint256 coefficientX96 = FullMath.mulDiv(value, Q96, s.ratiosX96Value);
...
expectedAmounts[i] = ratiosX96 == 0 ? 0 : FullMath.mulDiv(coefficientX96, ratiosX96, Q96);

However, calculateStack rounds the denominator down (thanks to mulDiv) , which increases coefficientX96 and thus increases what users withdraw.

This is unwanted behavior in vaults. Rounding towards users decreases the vault's value and can ultimately cause insolvency. The previous audit found a similar issue in the deposit function - M1.

Impact

The vault may become insolvent or lose small amounts of funds with each withdrawal.

Code Snippet

for (uint256 i = 0; i < tokens.length; i++) {
    uint256 priceX96 = priceOracle.priceX96(address(this), tokens[i]);
    s.totalValue += FullMath.mulDiv(amounts[i], priceX96, Q96);
    s.ratiosX96Value += FullMath.mulDiv(s.ratiosX96[i], priceX96, Q96);
    s.erc20Balances[i] = IERC20(tokens[i]).balanceOf(address(this));
}

Tool used

Manual Review

Recommendation

Round the value up instead of down, similar to how it's done inside deposit.

for (uint256 i = 0; i < tokens.length; i++) {
    uint256 priceX96 = priceOracle.priceX96(address(this), tokens[i]);
    s.totalValue += FullMath.mulDiv(amounts[i], priceX96, Q96);
-   s.ratiosX96Value += FullMath.mulDiv(s.ratiosX96[i], priceX96, Q96);
+   s.ratiosX96Value += FullMath.mulDivRoundingUp(s.ratiosX96[i], priceX96, Q96);
    s.erc20Balances[i] = IERC20(tokens[i]).balanceOf(address(this));
}
@sherlock-admin3 sherlock-admin3 mentioned this issue Jun 27, 2024
Closed
@sherlock-admin2 sherlock-admin2 mentioned this issue Jun 28, 2024
Closed
@sherlock-admin3 sherlock-admin3 changed the title Breezy Velvet Yak - Missing withdrawalCallback call in emergencyWithdraw() ratiosX96Value rounds in favor of user and not vault Jun 28, 2024
@sherlock-admin3 sherlock-admin3 added the Sponsor Confirmed The sponsor acknowledged this issue is valid label Jun 30, 2024
@github-actions github-actions bot changed the title ratiosX96Value rounds in favor of user and not vault Creamy Malachite Condor - ratiosX96Value rounds in favor of user and not vault Jul 6, 2024
@github-actions github-actions bot added Medium A valid Medium severity issue Has Duplicates A valid issue with 1+ other issues describing the same vulnerability labels Jul 6, 2024
This was referenced Jul 6, 2024
Closed
Closed
Closed
@sherlock-admin3 sherlock-admin3 added the Will Fix The sponsor confirmed this issue will be fixed label Jul 8, 2024
@sherlock-admin3 sherlock-admin3 changed the title Creamy Malachite Condor - ratiosX96Value rounds in favor of user and not vault X12 - ratiosX96Value rounds in favor of user and not vault Jul 15, 2024
@sherlock-admin3 sherlock-admin3 added the Reward A payout will be made for this issue label Jul 15, 2024
@sherlock-admin2
Copy link
Author

The protocol team fixed this issue in the following PRs/commits:
mellow-finance/mellow-lrt#44

@10xhash
Copy link
Collaborator

10xhash commented Jul 30, 2024

Fixed
Now rounded up

@sherlock-admin2
Copy link
Author

The Lead Senior Watson signed off on the fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sherlock-admin2 @10xhash @sherlock-admin3