You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Oct 1, 2023. It is now read-only.
sherlock-admin opened this issue
Mar 27, 2023
· 0 comments
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
Users can bypass the fee when depositing in the vault
Summary
Users can bypass the fee when depositing in the vault by using the function mintDepositInQueue
Vulnerability Detail
Users have 2 options to deposit into a vault. The first option lets the users specify a particular epochId and the protocol will charge a percentage of _assets. The second one allows users not to define which epochId they want to deposit in and gives this duty to the relayer who can be anyone to choose the epochId that the users will be minted the shares. After that, the relayer can take relayerFee ETH as a fee to process the transaction.
The relayer processes the transactions by calling the function Carousel.mintDepositInQueue() to mint the shares corresponding to each element in the array depositQueue. Note that the depositQueue is executed in FILO order (from the array's tail to the head). This execution order creates a flaw in the "taking fee mechanism" which let the users deposit in the expected epochId without paying any fee.
For example,
Alice wants to deposit x ETH in the vault with epochId = 4.
Alice calls Carousel.deposit(_id = 0, _assets = (x + relayerFee) ETH, _receiver = Alice).
Because Alice set the _id = 0, the deposit will be added to the tail of the depositQueue array.
Alice immediately calls Carousel.mintDepositInQueue(_epochId = 4, operations = 1). As we can see that Alice is the relayer in this function call, then she can gain x - relayer shares of the epochId = 4 and get back the relayerFee ETH.
Note that Alice can write a smart contract to execute step 2 and step 3 in the same transaction which helps her bypass the deposit fee.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
TrungOre
medium
Users can bypass the fee when depositing in the vault
Summary
Users can bypass the fee when depositing in the vault by using the function
mintDepositInQueue
Vulnerability Detail
Users have 2 options to deposit into a vault. The first option lets the users specify a particular
epochId
and the protocol will charge a percentage of_assets
. The second one allows users not to define whichepochId
they want to deposit in and gives this duty to therelayer
who can be anyone to choose theepochId
that the users will be minted the shares. After that, therelayer
can takerelayerFee
ETH as a fee to process the transaction.The
relayer
processes the transactions by calling the functionCarousel.mintDepositInQueue()
to mint the shares corresponding to each element in the arraydepositQueue
. Note that thedepositQueue
is executed in FILO order (from the array's tail to the head). This execution order creates a flaw in the "taking fee mechanism" which let the users deposit in the expectedepochId
without paying any fee.For example,
epochId = 4
.Carousel.deposit(_id = 0, _assets = (x + relayerFee) ETH, _receiver = Alice)
.Because Alice set the
_id = 0
, the deposit will be added to the tail of thedepositQueue
array.Carousel.mintDepositInQueue(_epochId = 4, operations = 1)
. As we can see that Alice is therelayer
in this function call, then she can gainx - relayer
shares of theepochId = 4
and get back therelayerFee
ETH.Note that Alice can write a smart contract to execute step 2 and step 3 in the same transaction which helps her bypass the deposit fee.
Impact
Users can bypass the deposit fee.
Code Snippet
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L354
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L495-L497
Tool used
Manual Review
Recommendation
Consider sending a portion of
relayerFee
to treasury instead of transferring all of the fees formsg.sender
.Duplicate of #75
The text was updated successfully, but these errors were encountered: