Light ModeLight
Light ModeDark

One Bug Per Day

One H/M every day from top Wardens

Checkmark

Join over 1120 wardens!

Checkmark

Receive the email at any hour!

Ad

_maxYieldVaultWithdraw() uses yieldVault.convertToAssets()

mediumCode4rena

Lines of code

https://github.com/code-423n4/2024-03-pooltogether/blob/480d58b9e8611c13587f28811864aea138a0021a/pt-v5-vault/src/PrizeVault.sol#L922

Vulnerability details

Impact

maxWithdraw() and maxRedeem() may return too much, violating EIP-4626. liquidatableBalanceOf() may return too much.

Proof of Concept

solidity
function _maxYieldVaultWithdraw() internal view returns (uint256) {
    return yieldVault.convertToAssets(yieldVault.maxRedeem(address(this)));
}

uses yieldVault.convertToAssets() which per EIP-4626 is only approximate. Especially, it might return too much, and thus _maxYieldVaultWithdraw() might return too much. _maxYieldVaultWithdraw() is used in maxWithdraw(), in maxRedeem(), and in liquidatableBalanceOf() which functions may thus return too much. In the case of maxWithdraw() and maxRedeem() this violates EIP-4626.

Recommended Mitigation Steps

Use yieldVault.previewRedeem(yieldVault.maxRedeem(address(this))).

Assessed type

ERC4626

OneBugPerDay.com
To all the whitehats, we salute you

Legal

Advertise with usPrivacy PolicyTerms of ServiceCookie PolicyAcceptable Use

Unsubscribe

Unsubscribe from all emailsConfirm unsubscribe via code

Subscribe

Subscribe via formConfirm subscription via codeChange your Preferences
Made by Alex The EntreprenerdVulnerabilities database by TinTinWeb