Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Motomoto - Fixed users can't withdraw funds after calling claimFixedPremium upfront #164

Open
sherlock-admin4 opened this issue Sep 21, 2024 · 0 comments
Open

Motomoto - Fixed users can't withdraw funds after calling claimFixedPremium upfront #164

sherlock-admin4 opened this issue Sep 21, 2024 · 0 comments

Comments

@sherlock-admin4
Copy link

sherlock-admin4 commented Sep 21, 2024
edited
Loading

Motomoto

High

Fixed users can't withdraw funds after calling claimFixedPremium upfront

Summary

Fixed depositors will have their claim tokens set to zero after claiming their premium, which will cause a revert on their withdrawals.

Root Cause

In vault.sol, the logic of setting fixedClaimToken[msg.sender] to zero during the claimFixedPremium function prevents fixed depositors from withdrawing their funds afterward.

  1. Firstly in the deposit function, fixed depositor gets minted claim tokens. L359
// Mint claim tokens
      fixedClaimToken[msg.sender] += shares;
  1. Secondly in the claimFixedPremium function, fixed depositor burns his claim tokens for upfront premium. User got minted bearer tokens and his claimToken balance is set to 0.
// Burn claim tokens
    fixedClaimToken[msg.sender] = 0;
  1. As third and last, fixed depositor tries to withdraw funds. However, a claimToken balance check in below withdraw function prevents him to withdraw his funds.
if (side == FIXED) {
        require(fixedToVaultNotStartedWithdrawalRequestIds[msg.sender].length == 0, "WAR");

        // need to have claim tokens
        uint256 claimBalance = fixedClaimToken[msg.sender];
        //uint256 claimBalance = fixedClaimToken.balanceOf(msg.sender);
        require(claimBalance > 0, "NCT"); //@audit claimBalance is already set to 0 when claiming the premium, this call will revert

Internal pre-conditions

  1. A fixed depositor needs to have a non zero balance of fixedClaimToken to call claimFixedPremium. --> After depositing that check will pass
  2. The fixed depositor then will call claimFixedPremium to have his premium upfront, sourced by variable users.
    When claimed, claimTokens will be burned and user balance will be set to 0.
  3. The fixed depositor then will try to withdraw his funds. However, withdraw function checks if user claimToken balance is bigger than 0.
  4. Since it has been set to 0 in claimFixedPremium, withdraw call will revert for fixed user.

External pre-conditions

none

Attack Path

There is no attack. I identified the flow above.

Impact

Fixed user funds are stuck, unable to withdraw.

PoC

https://github.com/sherlock-audit/2024-08-saffron-finance/blob/main/lido-fiv/contracts/LidoVault.sol#L358-L360
https://github.com/sherlock-audit/2024-08-saffron-finance/blob/main/lido-fiv/contracts/LidoVault.sol#L412-L414
https://github.com/sherlock-audit/2024-08-saffron-finance/blob/main/lido-fiv/contracts/LidoVault.sol#L428-L434

Mitigation

No response
@sherlock-admin4 sherlock-admin4 changed the title Urban Latte Quail - Fixed users can't withdraw funds after calling claimFixedPremium upfront Motomoto - Fixed users can't withdraw funds after calling claimFixedPremium upfront Sep 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin4