Assessment reportsPublic findings
Back to Zellic site
Assessment reports>WOOFI Stake>Discussion>Similarities to ERC-4626 first-deposit issue
GeneralOverview
Findings
Critical (1)
Medium (2)
Low (1)
DiscussionInstant withdraw cap can be bypassedSimilarities to ERC-4626 first-deposit issueSlippage check not performed during compoundReward function
Threat ModelWhat are threat models?BaseStrategy.solStrategyAave.solVaultV2.solWooLendingManager.solWooStakingCompounder.solWooStakingController.solWooStakingLocal.solWooStakingManager.solWooStakingProxy.solWooSuperChargerVaultV2.solWooWithdrawManagerV2.sol
Audit ResultsAssessment Results

Similarities to ERC-4626 first-deposit issue

The Vault contracts(i.e VaultV2, WooSuperchargerVaultV2) are particularly similar to the ERC-4626 vaults. The similarities include the potential issue of first-deposit, where a malicious user can front-run the first deposit of a legitimate user, and inflate their worth of shares to withdraw more than they should, leaving the legitimate user with nothing to withdraw.

To mitigate against this issue, we recommend the following:

  • Create "dead shares" upon the first liquidity deposit. This can be done in multiple ways, one of them being that the first deposit has to be performed by a trusted party and the shares are sent to a dead address.

  • Keep track of assets held by the vault internally, rather than rely on the balanceOf function. This way, the donated assets cannot influence the vault's internal accounting.

Zellic © 2024Back to top ↑