KupiaSec - The SuperPool._supplyToPools()
function only considers the state variable poolCapFor
for the SuperPool
's poolId
s, not the poolCap
for the Pool
's poolId
s
#536
Labels
Duplicate
A valid issue that is a duplicate of an issue with `Has Duplicates` label
Medium
A Medium severity issue.
Reward
A payout will be made for this issue
Sponsor Disputed
The sponsor disputed this issue's validity
Won't Fix
The sponsor confirmed this issue will not be fixed
KupiaSec
Medium
The
SuperPool._supplyToPools()
function only considers the state variablepoolCapFor
for theSuperPool
'spoolId
s, not thepoolCap
for thePool
'spoolId
sSummary
In the
SuperPool._supplyToPools()
function, the deposit amount for each individual poolId is calculated assupplyAmt = poolCapFor[poolId] - assetsInPool
. However, it does not check whether thissupplyAmt
exceeds thepoolCap
of thepoolId
in thePool
contract. If it does cause an overflow of thepoolCap
, the deposit to thatpoolId
fails, and the flow moves on to the nextpoolId
. Even if the previouspoolId
could accommodate some assets, the deposit flow skips it. This could lead to a suboptimal reordering of thedepositQueue
.Vulnerability Detail
Let's consider the following scenario:
SuperPool
has twopoolId
s in itsdepositQueue
:poolId
has already received a significant amount of assets, leaving only $100 in deposit space due to itspoolCap
.poolId
.SuperPool
. The_supplyToPools()
function is then invoked to allocate Alice's $200 to the twopoolId
s:SuperPool
first attempts to deposit $200 into the firstpoolId
, but this fails because the firstpoolId
can only accommodate $100.SuperPool
then tries to deposit the full $200 into the secondpoolId
, which succeeds as it has enough capacity.In fact, a more appropriate allocation would be to deposit $100 into the first
poolId
and $100 into the secondpoolId
. The above scenario could lead to a suboptimal reordering of thedepositQueue
.Additionally, in the worst-case scenario, if Alice deposits $300, no amount will be deposited into the base pools, as neither
poolId
can accommodate the full $300.Impact
The current deposit mechanism may result in a suboptimal reordering of the
depositQueue
.Code Snippet
https://github.com/sherlock-audit/2024-08-sentiment-v2/blob/main/protocol-v2/src/SuperPool.sol#L524-L543
Tool used
Manual Review
Recommendation
Ensure that the
supplyAmt
does not cause an overflow of thepoolCap
for thepoolId
in thePool
contract.Duplicate of #178
The text was updated successfully, but these errors were encountered: