Voyage > Business Logic > VToken.sol

Calls to Redeem(...) can result in lost depositor funds

High Severity
Medium Impact
Medium Likelihood


We would like to credit Voyage for finding the following critical exploit while the audit was ongoing and in its early stages.

Calls to the base ERC4626 redeem(...) can be made by anyone. Unfortunately, redeem(...) does not implement any of the pushWithdraw(...):

function pushWithdraw(address _user, uint256 _shares) internal {
    unbondings[_user].shares += _shares;
    unbondings[_user].maxUnderlying += convertToAssets(_shares);
    totalUnbonding += convertToAssets(_shares);


Any calls to claim after calling redeem(...) would result in no funds be transferred to the user.


We suggest modifying redeem(...) to accordingly incorporate the pushWithdraw(...) functionality.


Commit 2ebf6278 was indicated as containing the remediation. The issue appears to be correctly fixed in the given commit, having redeem implement the correct logic including a call to pushWithdraw.

We note that the actual remediation was performed in 3320ba3c and that 2ebf6278 actually performs a minor refactoring on the lines responsible for the fix.