Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Solera>High findings>Race condition allows admin to drain the vault
GeneralOverview
Findings
High (3)Vesting admin can manipulate price ratioVesting admin can take advantage of open approvalsRace condition allows admin to drain the vault
Medium (1)
Informational (2)
DiscussionRedemption often underpays user by one base unitRegarding inflation attacksTest suite
Audit ResultsAssessment Results
Category: Protocol Risks

Race condition allows admin to drain the vault

High Impact
Critical Severity
Low Likelihood

Description

There is an opportunity for a race condition during the redemption step. After calling requestRedeem but before redeem is executed, an admin changing the withdraw fee can cause more assets than a user paid for to be transferred out of the vault. The root cause is that the fee percentage is calculated at a separate step from the calculation of the number of assets to transfer.

There are two scenarios:

  1. The fee percentage increases. The user will have transferred fewer shares than necessary in the requestRedeem step to cover the new fees. The user would have underpaid in shares, and more of the vault's assets than intended would be used to cover the difference.

  2. The fee percentage decreases. The user will have transferred more shares than necessary. The user would have underpaid, and the assets would remain in the vault (value distributed to remaining users).

In the scenario that the fee percentage increases, another edge-case situation may be encountered in low-liquidity situations. When shares are burned and assets are calculated in the requestRedeem step, the vault may not have enough assets to cover the increased fee in the redeem step. This would cause the redeem to abort, and the funds would be stuck in the vault.

Impact

This issue may be encountered in practice accidentally, but in our opinion, the most risky scenario is if a malicious or compromised admin changes the fee percentage intentionally to steal funds.

The following steps describe how the admin could drain the entire vault:

  1. They deposit exactly double the number of assets as are in the vault.

  2. In one transaction, they atomically

    • change the fee to 0%,

    • set the fee receiver to the admin's address,

    • request a redemption of all the admin-deposited shares, and

    • change the fee to 100%.

  3. After waiting the required time, they redeem the shares. The vault's assets will be used to cover the fees, leaving all remaining shares worthless.

Recommendations

Store the fee percentage in the withdrawal request.

Alternatively, require that there are no open withdrawal requests to change fee percentage. Note that this solution would enable anyone to block fees by repeatedly creating zero-asset withdrawal requests with overlapping timelock periods so that the queue is never fully cleared.

Remediation

This issue has been acknowledged by Solera Markets, and a fix was implemented in PR #8.

Zellic © 2025Back to top ↑