Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

0xAadi - SuperPool.totalAssets() is not EIP-4626 complaint #543

Closed
sherlock-admin3 opened this issue Aug 24, 2024 · 0 comments
Closed

0xAadi - SuperPool.totalAssets() is not EIP-4626 complaint #543

sherlock-admin3 opened this issue Aug 24, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue

Comments

@sherlock-admin3
Copy link

sherlock-admin3 commented Aug 24, 2024
edited by sherlock-admin4
Loading

0xAadi

Medium

SuperPool.totalAssets() is not EIP-4626 complaint

Summary

The totalAssets() function in the SuperPool contract does not fully comply with ERC4626 requirements, as it does not account for accrued interest in its calculation of total managed assets.

Vulnerability Detail

According to eip-4626 totalAssets() MUST be inclusive of any fees that are charged against assets in the Vault.

The totalAssets() function is intended to provide the total amount of underlying assets managed by the vault. However, it currently only sums the balance of assets held directly by the SuperPool and those in the underlying pools, without including any accrued interest(which is inclusive of interest fee). This omission means that the function does not accurately reflect the total assets under management, potentially misleading users about the actual value of the vault's holdings.

Impact

The lack of accrued interest in the totalAssets() calculation can lead to discrepancies in asset reporting, affecting users' understanding of the vault's performance and potentially impacting decisions based on the vault's reported assets. This could result in financial miscalculations or misrepresentations of the vault's value.

Code Snippet

https://github.com/sherlock-audit/2024-08-sentiment-v2/blob/main/protocol-v2/src/SuperPool.sol#L180

Tool used

Manual Review

Recommendation

Modify the totalAssets() function to include accrued interest in its calculation. This could involve integrating logic from simulateAccrue() to ensure that any interest accrued since the last update is reflected in the total assets reported by the function

Duplicate of #110
@github-actions github-actions bot closed this as completed Sep 5, 2024
@github-actions github-actions bot added Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. labels Sep 5, 2024
@sherlock-admin4 sherlock-admin4 changed the title Abundant Cobalt Gazelle - SuperPool.totalAssets() is not EIP-4626 complaint 0xAadi - SuperPool.totalAssets() is not EIP-4626 complaint Sep 15, 2024
@sherlock-admin4 sherlock-admin4 added the Reward A payout will be made for this issue label Sep 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin3 @sherlock-admin4