0x73696d616f - Users will steal excess funds from the Vault due to VaultPoolLib::redeem()
not always decreasing self.withdrawalPool.raBalance
and self.withdrawalPool.paBalance
#144
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
High
A High severity issue.
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Won't Fix
The sponsor confirmed this issue will not be fixed
0x73696d616f
High
Users will steal excess funds from the Vault due to
VaultPoolLib::redeem()
not always decreasingself.withdrawalPool.raBalance
andself.withdrawalPool.paBalance
Summary
Vault::redeemExpiredLv() calls VaultLib::redeemExpired(), which allows users to withdraw funds after expiry, even if they have not requested a redemption. This redemption happens in VaultPoolLib::redeem(), when userEligible < amount, it calls internally __redeemExcessFromAmmPool(), where only self.ammLiquidityPool.balance is reduced, but not
self.withdrawalPool.raBalance
andself.withdrawalPool.paBalance
. As such, when calculing the withdrawal pool balance in the next issuance on VaultPoolLibrary::reserve(), it will double count all the already withdraw self.withdrawalPool.raBalance and self.withdrawalPool.paBalance, allowing users to withdraw the same funds twice.Root Cause
In
VaultPoolLib::__redeemExcessFromAmmPool()
,self.withdrawalPool.raBalance
andself.withdrawalPool.paBalance
are not decreased, butra
andpa
are also withdrawn from the withdrawal pool when the user has partially requested redemption.Internal pre-conditions
VaultLib::redeemExpired()
, that is,userEligible < amount
.External pre-conditions
None.
Attack Path
Vault::redeemExpiredLv()
, withdrawing from the withdrawal pool, butself.withdrawalPool.raBalance
andself.withdrawalPool.paBalance
are not decreased.VaultPoolLib::reserve()
, the funds are double counted as not all withdrawals were reduced.self.withdrawalPool.raExchangeRate
andself.withdrawalPool.paExchangeRate
will be inflated by double the funds and users will redeem more funds than they should, leading to the insolvency of the Vault.Impact
Users steal funds while unaware users will not be able to withdraw.
PoC
__tryRedeemExcessFromAmmPool()
does not decrease the withdrawnself.withdrawalPool.raBalance
andself.withdrawalPool.paBalance
.Mitigation
Replace
__tryRedeemfromWithdrawalPool()
with__redeemfromWithdrawalPool()
.The text was updated successfully, but these errors were encountered: