Lack of zero checks can allow withdrawing assets without pool tokens

Question

Lack of zero checks can allow withdrawing assets without pool tokens

Closed this issue 5 years ago · 1 comments

Severity: High
Difficulty: Medium

Description

A rounding operation on assets withdrawal in HegicETHPool and HegicERCPool can allow anyone to withdraw the assets for free.

To withdraw assets, the caller needs amount * totalSupply / totalBalance tokens:
https://github.com/0mllwntrmt3/hegic-contracts-v1/blob/7765bd0a6ea697b6365774800d881f558533ac28/HegicERCPool.sol#L20-L22

If amount * totalSupply is below totalBalance, the amount of tokens to be burned will be zero. As a result, anyone will be able to drain the pool's funds.

Note that totalSupply() < totalBalance() is possible if one sends liquidity to the pool without calling provide

Exploit Scenario

Bob is the liquidity provider. Bob sends directly 1,000 ether to the pool, without calling provide. Eve calls withdraw dozen of times with a low amount, and slowly drain the pool's funds.

Recommendation

Short term, ensure burn is greater than zero.

Long term, consider using Echidna and Manticore to ensure that the arithmetic rounding cannot let anyone to receive assets for free.

Answer 1 · 2020-04-14T06:40:37.000Z

commit issue_3