0x73696d616f - Users redeeming with Ds
in the Psm
will not decrease the correct amount of locked Ra
, leading to stolen funds on withdrawals
#179
Labels
Duplicate
A valid issue that is a duplicate of an issue with `Has Duplicates` label
High
A High severity issue.
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
0x73696d616f
High
Users redeeming with
Ds
in thePsm
will not decrease the correct amount of lockedRa
, leading to stolen funds on withdrawalsSummary
Psm::redeemRaWithDs() calls PsmLib::redeemWithDs(), which calls PsmLib::_afterRedeemWithDs() to send the unlocked
Ra
to the owner and decreaseself.psm.balances.ra.locked
by calling self.psm.balances.ra.unlockTo(owner, received);, that is, the amount ofRa
locked in the contract.However, in the process, the
Ra
amount decreased fromself.psm.balances.ra.locked
is just thereceived
, which has been subtracted the fee. But, this fee is used to provide liquidity, which means it is no longer locked and available, leading to thePsm
having a biggerself.psm.balances.ra.locked
than it should.As such, on PsmLib::_separateLiquidity(), more
Ra
than what really exists is assumed to be available for withdrawal, which will make some users stealRa
when withdrawing and the last users not being able to withdraw.Root Cause
In
PsmLib:346
, theRa
locked is decreased by the received amount minus the fee.Internal pre-conditions
None.
External pre-conditions
None.
Attack Path
Psm::redeemWithDs()
.Impact
Users withdrawing first steal funds and the last users will not be able to withdraw their funds at all.
PoC
In
PsmLib::_afterRedeemWithDs()
,self.psm.balances.ra.unlockTo(owner, received);
is called with the received amount minus the fee:In
RedemptionAssetManagerLib::unlockTo()
it decreases the lockedRa
by the amount passed:Mitigation
In
PsmLib::_afterRedeemWithDs()
, the user should receive the amount minus the fee but the lockedRa
should decrease by the full amount:Duplicate of #155
The text was updated successfully, but these errors were encountered: