You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Oct 1, 2023. It is now read-only.
sherlock-admin opened this issue
Mar 27, 2023
· 0 comments
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
The deposit fee can be bypassed by using mintDepositInQueue() function.
Summary
Any user can avoid paying the deposit fee for the Carousel contract's treasury by adding themselves to the deposit queue and then calling the mintDepositInQueue() function to deposit and collect the relayer fee.
Vulnerability Detail
In the Carousel contract, the users are allowed to add themselves to the deposit queue by calling the deposit function with the _id parameter set to zero.
After that, the user must call the mintDepositInQueue() function to dequeue themselves from the top of the queue and deposit themselves into the pool; in this process, the relayer fee will be calculated and sent to the msg.sender as shown in line 354.
For the deposit queue execution order, we recommended changing to the FIFO(First in, first out) queue and keep the operated index in the state variable.
error InvalidQueueLength();
error InvalidOperation();
uint256public depositQueueOperatedIndex;
/** @notice mints deposit in rollover queue @param _epochId epoch id @param _operations uint256 of how many operations to execute; */function mintDepositInQueue(uint256_epochId, uint256_operations)
externalepochIdExists(_epochId)
epochHasNotStarted(_epochId)
nonReentrant
{
// make sure there is already a new epoch set// epoch has not started
QueueItem[] memory queue = depositQueue;
uint256 length = depositQueue.length;
// dont allow minting if epochId is 0if (_epochId ==0) revertInvalidEpochId();
if (length ==0) revertOverflowQueue();
if (depositQueueOperatedIndex == length) revertInvalidQueueLength();
if (_operations ==0) revertInvalidOperation();
uint256 i = _operations;
uint256 _currentIndex;
while(i >0) {
_currentIndex = depositQueueOperatedIndex;
_mintShares(
queue[_currentIndex].receiver,
_epochId,
queue[_currentIndex].assets - relayerFee
);
emitDeposit(
msg.sender,
queue[_currentIndex].receiver,
_epochId,
queue[_currentIndex].assets - relayerFee
);
unchecked {
i--;
}
depositQueueOperatedIndex++;
if (depositQueueOperatedIndex == length) break;
}
_operations -= i;
emitRelayerMinted(_epochId, _operations);
uint256 _fee = _operations * relayerFee;
uint256 _depositFee = _fee *10/100; /// e.g., 10% of relayer feeuint256 _relayerFee = _fee - _depositFee;
asset.safeTransfer(treasury, _depositFee);
asset.safeTransfer(msg.sender, _relayerFee);
}
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
Inspex
high
The deposit fee can be bypassed by using
mintDepositInQueue()
function.Summary
Any user can avoid paying the deposit fee for the
Carousel
contract's treasury by adding themselves to the deposit queue and then calling themintDepositInQueue()
function to deposit and collect the relayer fee.Vulnerability Detail
In the
Carousel
contract, the users are allowed to add themselves to the deposit queue by calling the deposit function with the_id
parameter set to zero.https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L470-L501
After that, the user must call the
mintDepositInQueue()
function to dequeue themselves from the top of the queue and deposit themselves into the pool; in this process, the relayer fee will be calculated and sent to themsg.sender
as shown in line 354.https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L310-L355
As a result, the user can deposit their asset into the pool without having to pay the deposit fee.
In addition, the relayer should execute from the beginning of the queue to perform as the role defines.
Impact
The pool's treasury will not receive deposit fees as expected.
Code Snippet
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L306-L355
Tool used
Manual Review
Recommendation
We recommend collecting the deposit fee by deducting it from the relayer fee, e.g., 10% of the relayer fee.
For the deposit queue execution order, we recommended changing to the FIFO(First in, first out) queue and keep the operated index in the state variable.
Duplicate of #75
The text was updated successfully, but these errors were encountered: