Maia Governance token balance dilution in vMaia
vault is breaking the conversion rate mechanism
#473
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
M-22
primary issue
Highest quality submission among a set of duplicates
satisfactory
satisfies C4 submission criteria; eligible for awards
selected for report
This submission will be included/highlighted in the audit report
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2023-05-maia/blob/54a45beb1428d85999da3f721f923cbf36ee3d35/src/maia/tokens/ERC4626PartnerManager.sol#L235-L246
https://github.com/code-423n4/2023-05-maia/blob/54a45beb1428d85999da3f721f923cbf36ee3d35/src/maia/tokens/ERC4626PartnerManager.sol#L215-L229
Vulnerability details
Impact
Once a user deposits
Maia
ERC-20 tokens into thevMaia
ERC-4626 vault, he is eligible to claim 3 kinds of utility tokens, bHermes Weight & Governance and Maia Governance (pbHermes, partner governance). On each deposit, new Maia Governance tokens (pbHermes) are minted to the vault in proportion to the deposited amount, but those tokens are never burned on withdrawal. This naturally dilutes the vault'spbHermes
token balance during the course of users depositing & withdrawingMaia
tokens. Futhermore, a malicious user can dramatically accelerate this dilution by repeatedly depositing & withdrawing within a single transaction.Note that the vault's bHermes Weight & Governance token balances are not diluted during this process.
However, the ERC4626PartnerManager.increaseConversionRate(...) method (
ERC4626PartnerManager
is base ofvMaia
contract) relies on the vault'spbHermes
token balance and therefore imposes a lower limt on an increased pbHermes<>bHermes coversion rate to avoid underflow, see L226:min. rate = vault balance of pbHermes / Maia tokens in vault
. Meanwhile the upper limit for a new conversion rate is given by L219:max. rate = vault balance of bHermes / Maia tokens in vault
.As a consquence, the
vMaia
vault owner's ability to increase the conversion rate is successively constrained by user deposits & withdrawals, until the point where the dilution ofpbHermes
reachesvault balance of pbHermes > vault balance of bHermes
which leads to complete DoS of the ERC4626PartnerManager.increaseConversionRate(...) method.Proof of Concept
The following PoC verifies the above claims about
pbHermes
dilution andincreaseConversionRate(...)
DoS, just apply the diff below and run the new in-line documented test case withforge test -vv --match-test testDepositMaiaDilutionUntilConversionRateFailure
:We can clearly see the increasing dilution after each withdrawal-deposit cycle and get the expected revert, see if-condition, after reaching critical dilution:
Tools Used
VS Code, Foundry
Recommended Mitigation Steps
Burn the excess
pbHermes
tokens on withdrawal fromvMaia
vault:We can see that this fixes the dilution issue:
Assessed type
ERC20
The text was updated successfully, but these errors were encountered: