Bigsam - Incorrect Asset Check in SuperPool whenever we want to Deposit into Any POOL Contract. #250
Labels
Duplicate
A valid issue that is a duplicate of an issue with `Has Duplicates` label
Medium
A Medium severity issue.
Reward
A payout will be made for this issue
Sponsor Disputed
The sponsor disputed this issue's validity
Won't Fix
The sponsor confirmed this issue will not be fixed
Bigsam
Medium
Incorrect Asset Check in SuperPool whenever we want to Deposit into Any POOL Contract.
Summary
The SuperPool contract contains an error in its asset-checking logic during deposit operations. Instead of querying the total assets in the pool, it incorrectly checks only the assets deposited by the SuperPool itself. This can result in multiple failed attempts to deposit because exceeding the pool cap is highly possible.
Vulnerability Detail
The SuperPool contract currently uses the wrong method to check the total assets available in the underlying pool before performing a deposit. The function
getAssetsOf(poolId, address(this))
is used to query the assets deposited by the SuperPool itself, rather than querying the total assets in the pool (getTotalAssets
). This leads to an incorrect comparison when checking if the total deposit exceeds the pool cap, potentially allowing deposits that should be reverted.Impact
Impact
The incorrect asset check can result in the SuperPool incorrectly determining that a deposit is within the pool cap when it is not. As a result, the SuperPool might attempt to deposit funds into the underlying pool, but the pool will reject the transaction because the cap has actually been exceeded.
Problematic Code:
The following is a summary of the incorrect checks:
These checks incorrectly compare the amount of assets deposited by the SuperPool with the pool's cap, rather than considering the entire pool's total assets.
Ideal Check in Pool contract deposit function
totalDepositAssets + assets should be compared not borrowed asset for superpool and asset to cap .
Code Snippet
https://github.com/sherlock-audit/2024-08-sentiment-v2/blob/main/protocol-v2/src/Pool.sol#L320
https://github.com/sherlock-audit/2024-08-sentiment-v2/blob/main/protocol-v2/src/SuperPool.sol#L528
https://github.com/sherlock-audit/2024-08-sentiment-v2/blob/main/protocol-v2/src/SuperPool.sol#L448
https://github.com/sherlock-audit/2024-08-sentiment-v2/blob/main/protocol-v2/src/Pool.sol#L217-L226
https://github.com/sherlock-audit/2024-08-sentiment-v2/blob/main/protocol-v2/src/Pool.sol#L242-L247
Tool used
Manual Review
Recommendation
To accurately enforce the pool cap, you should query the total assets in the pool by using the
getTotalAssets
function, which returns the correct value after accounting for all deposits and accrued interest. This ensures the check is performed against the actual total assets in the pool, not just those deposited by the SuperPool.Replace the incorrect checks with queries to
getTotalAssets
:Corrected Rebalance Check:
Corrected Deposit Check:
Duplicate of #178
The text was updated successfully, but these errors were encountered: