-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
0xnbvc - Incorrect amount parameter passed to RedemptionAssetManagerLibrary.incLocked()
leads to incorrect amount of Redemption Asset tokens being locked and DoS of PsmCore.redeemRaWithDs()
and PsmCore.redeemRaWithCtDs()
#40
Comments
1 comment(s) were left on this issue during the judging contest. tsvetanovv commented:
|
RedemptionAssetManagerLibrary.incLocked()
leads to incorrect amount of Redemption Asset tokens being locked and DoS of PsmCore.redeemRaWithDs()
and PsmCore.redeemRaWithCtDs()
RedemptionAssetManagerLibrary.incLocked()
leads to incorrect amount of Redemption Asset tokens being locked and DoS of PsmCore.redeemRaWithDs()
and PsmCore.redeemRaWithCtDs()
Escalate |
The escalation could not be created because you are not exceeding the escalation threshold. You can view the required number of additional valid issues/judging contest payouts in your Profile page, |
Escalate above comment |
You've created a valid escalation! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
The code is correct, this issue got it wrong. function calculateProvideLiquidityAmountBasedOnCtPrice(uint256 amountra, uint256 priceRatio)
external
pure
returns (uint256 ra, uint256 ct)
{
ct = (amountra * 1e18) / (priceRatio + 1e18);
ra = (amountra - ct);
assert((ct + ra) == amountra);
} Where |
As I understand, the above comment is correct and the issue is invalid. Planning to reject the escalation and leave the issue as it is. |
Result: |
Escalations have been resolved successfully! Escalation status:
|
0xnbvc
High
Incorrect amount parameter passed to
RedemptionAssetManagerLibrary.incLocked()
leads to incorrect amount of Redemption Asset tokens being locked and DoS ofPsmCore.redeemRaWithDs()
andPsmCore.redeemRaWithCtDs()
Summary
ctAmount
is passed toRedemptionAssetManagerLibrary.incLocked()
instead ofraAmount
, leading to incorrect amount of Redemption Asset tokens being locked, leading to DoS ofPsmCore.redeemRaWithDs()
andPsmCore.redeemRaWithCtDs()
Vulnerability Detail
RedemptionAssetManagerLibrary.incLocked()
is called byPsmLibrary.unsafeIssueToLv()
to increase the value of thelocked
Redemption Asset tokens variable, and should be increased by theraAmount
passed inVaultLibrary.__provideLiquidity()
.However it is passed the
ctAmount
instead.Thus, when
raAmount
is >ctAmount
, thelocked
variable will be increased by the incorrect (lower than what it should be) amount of Redemption Asset tokens.It will lead to a DoS of
PsmCore.redeemRaWithDs()
andPsmCore.redeemRaWithCtDs()
that both callRedemptionAssetManagerLibrary.unlockTo()
to decrease the value of thelocked
variable, by a superior amount than thelocked
variable actually contains.Impact
DoS due to wrong accounting of the
locked
variable.Code Snippet
PsmLib.sol#L120
Tool used
Manual Review
Recommendation
Modify
PsmLibrary.unsafeIssueToLv()
to accept 2 parameters:raAmount
andctAmount
and pass the correctraAmount
toRedemptionAssetManagerLibrary.incLocked()
.The text was updated successfully, but these errors were encountered: