-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
hash - New depositors can loose their assets due to existing shares when totalAssets is 0 following a bad debt rebalance #584
Comments
#319 is a duplicate of this issue |
Escalate, |
You've created a valid escalation! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
#209 is also duplicate |
Result: |
Escalations have been resolved successfully! Escalation status:
|
The protocol team fixed this issue in the following PRs/commits: |
hash
Medium
New depositors can loose their assets due to existing shares when totalAssets is 0 following a bad debt rebalance
Summary
New depositors can loose their assets due to existing shares even when totalAssets is 0
Vulnerability Detail
Having 0 totalAssets and non-zero shares is a possible scenario due to rebalacne
In such a case, if a new user deposits, it will not revert but instead mint shares 1:1 with the assets. But as soon as it is minted, the value of the user's share will decrease because of the already existing shares
Eg:
deposit shares = 100, deposit assets = 100, borrow assets = 100
borrow position becomes bad debt and rebalance bad debt is invoked
now deposit shares = 100, deposit assets = 0
new user calls deposit with 100 assets
they get 100 shares in return but share value is now 0.5 and they can withdraw only 50
This can occur if a large position undergoes a rebalance and the others manage to withdraw their assets right before the rebalance (superpool dominated pools can higher chances of such occurence)
Impact
Users can loose their assets when depositing to pools that have freshly undergone rebalanceBadDebt
Code Snippet
https://github.com/sherlock-audit/2024-08-sentiment-v2/blob/0b472f4bffdb2c7432a5d21f1636139cc01561a5/protocol-v2/src/Pool.sol#L275
https://github.com/sherlock-audit/2024-08-sentiment-v2/blob/0b472f4bffdb2c7432a5d21f1636139cc01561a5/protocol-v2/src/Pool.sol#L547
Tool used
Manual Review
Recommendation
If totalShares is non-zero and totalAssets is zero, revert for deposits
Duplicate of #319
The text was updated successfully, but these errors were encountered: