YieldNest – Inflating vault’s share rate via reentrancy

This attack results in the theft of assets alongside an inflated share value

Vulnerability Details

The withdrawal process from the Max Vault works in the following way:

First, it decreases the totalAssets metric

vaultStorage.totalAssets -= _convertAssetToBase(asset_, assets);

Next, withdraws from the buffer strategy (KernelStrategy vault).

IStrategy(vaultStorage.buffer).withdraw(assets, receiver, address(this));

Then, burns the user’s shares in the Max Vault.

_burn(owner, shares);

The withdrawal mechanism in KernelStrategy is similar, but it distributes the base asset to the user (defined as the receiver parameter) instead of withdrawing from another vault.

SafeERC20.safeTransfer(IERC20(asset_), receiver, assets);

If the base asset is an ERC20 token equipped with a callback function, the user could designate a contract as the receiver. This contract can then invoke the processAccounting function, which updates the totalAssets variable in the Max Vault. Since the buffer strategy burns shares only after the transfer, the shares in the Max Vault have not yet been burned.

This allows the totalAssets variable to revert to its pre-withdrawal value. As a result, the user’s shares in the Max Vault are subsequently burned, leading to an inflation in share value (the totalAssets remains constant while the number of shares decreases).

Note: This issue has been reported as medium because the currently used assets do not pose such threat, although the team plans to dynamically expand their offer.