Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: deposit everything to AffiliateToken #261

Merged
merged 1 commit into from
Apr 3, 2021
Merged

Fix: deposit everything to AffiliateToken #261

merged 1 commit into from
Apr 3, 2021

Conversation

mazaletskiy
Copy link
Contributor

First bug:

See:
1.https://github.com/yearn/brownie-wrapper-mix/blob/master/contracts/AffiliateToken.sol#L101

Here share is calculated before the deposit.

  1. If we consider the situation in which MAX UINT256 passed as input
    https://github.com/yearn/brownie-wrapper-mix/blob/master/contracts/AffiliateToken.sol#L98

  2. When we pass the MAX_UINT value, the vulnerability appears in this code.
    See:
    1.https://github.com/yearn/brownie-wrapper-mix/blob/master/contracts/AffiliateToken.sol#L101

Here share is calculated before the deposit.

  1. If we consider the situation in which MAX UINT256 passed as input
    https://github.com/yearn/brownie-wrapper-mix/blob/master/contracts/AffiliateToken.sol#L98

  2. When we pass the MAX_UINT value, the vulnerability appears in this code.

Since share will be calculated from the MAX_UINT amount
https://github.com/yearn/brownie-wrapper-mix/blob/master/contracts/AffiliateToken.sol#L91, not the actual amount that was sent to the deposit.

Which ultimately leads to the fact that https://github.com/yearn/brownie-wrapper-mix/blob/master/contracts/AffiliateToken.sol#L104

the wrong number of tokens will be issued.

Another bug:

See:

  1. Here, pass MAX_UINT to trigger DEPOSIT_EVERTING, in the _deposit function
    https://github.com/yearn/brownie-wrapper-mix/blob/master/contracts/AffiliateToken.sol#L98

  2. Next, try to call safeTransferFrom
    https://github.com/yearn/yearn-vaults/blob/master/contracts/BaseWrapper.sol#L113

But at the same time we are trying to write off MAX_UINT, of course, which are not on the user's balance.

As a result, it gets that the transaction will fail.

fubuloubu
fubuloubu approved these changes Apr 2, 2021
View reviewed changes
Copy link
Member

@fubuloubu fubuloubu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fix first commit message

contracts/test/AffiliateToken.sol Outdated Show resolved Hide resolved
contracts/test/AffiliateToken.sol Outdated Show resolved Hide resolved
@mazaletskiy
Copy link
Contributor Author

@fubuloubu I updated PR

@fubuloubu fubuloubu merged commit 0fd38ae into yearn:master Apr 3, 2021
orbxball pushed a commit to orbxball/yearn-vaults that referenced this pull request Aug 8, 2021
@mazaletskiy
fix: deposit everything to AffiliateToken (yearn#261)
e2426fa
sambacha pushed a commit to sambacha/yearn-vaults that referenced this pull request Sep 7, 2021
@mazaletskiy @sambacha
fix: deposit everything to AffiliateToken (yearn#261)
e0f1235
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fubuloubu fubuloubu fubuloubu approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mazaletskiy @fubuloubu