Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Definitive LLSD>Low findings>First depositor issue
GeneralOverview
Findings
Low (1)First depositor issue
DiscussionCentralization riskNo salts when calculating hashesTransfer-limit griefing
Threat ModelWhat are threat models?LLSD_EthereumAaveV3Balancer_wstETH_WETH.solMultiUserLLSDStrategy.sol
Audit ResultsSummary
Category: Business Logic

First depositor issue

Low Severity
Low Impact
Low Likelihood

Description

The first depositor issue happens due to the inflation of shares, and it is especially valid when there are no shares in the vault.

A depositor making the first deposit to the vault could be front-run by a malicious attacker. The attacker would directly deposit into the vault without receiving shares, then during the processing of the first deposit, the depositor receives zero shares due to truncation, but the assets are still pulled.

function _getSharesFromDepositedAmount(uint256 assets) internal view returns (uint256) {
	uint256 _totalAssets = totalAssets();
	uint256 totalAssetsBeforeDeposit = _totalAssets > assets ? _totalAssets - assets : 0;
	return assets.mulDiv(totalSupply() + 10 ** _decimalsOffset(), totalAssetsBeforeDeposit + 1, Math.Rounding.Down);
}

Impact

The vault receives assets but did not generate a share. That is when an attacker mints one share and redeems it, stealing the initial deposit that was front-run.

Recommendations

Ensure that there is some seed liquidity in the vault.

Remediation

The Definitive team confirmed that they will launch their vaults with some initial liquidity.

Zellic © 2024Back to top ↑