[ERC4626]: implement totalAssets in base class

Question

[ERC4626]: implement totalAssets in base class

jaglinux opened this issue 3 years ago · 3 comments

https://github.com/Rari-Capital/solmate/blob/eaaccf88ac5290299884437e1aee098a96583d54/src/mixins/ERC4626.sol#L122
Trying to understand why there is no implementation for totalAssets() ?
totalAssets() should return vault's balance of underlying asset. The derived contract or the implementer could override the logic if required.

Answer 1 · 2022-06-08T03:32:19.000Z

using balanceOf the asset is fairly dangerous cuz ur susceptible to vault donation attacks, if we were to provide another state variable to track the vaults total assets we wouldnt know what uint size to make it so it can pack with the user's other state. for those reasons i'd prefer to leave this unimplemented

Answer 2 · 2022-06-08T19:53:35.000Z

susceptible to vault donation attacks

Can you explain the potential attack further? Are there concrete circumstances under which a donation could be used as part of an attack?

Answer 3 · 2022-06-08T21:00:08.000Z

Can you explain the potential attack further? Are there concrete circumstances under which a donation could be used as part of an attack?

the attack wouldn't be against the vault itself (it should be secure in that case) but any protocols which depend on the vault's share price not skyrocketing randomly. the ability to donate and boost the share price dramatically can really screw up the economics of different defi projects (notably lending markets)

an example of the attack in the wild is the cream yearn hack: https://mudit.blog/cream-hack-analysis/