This results in non-compliance with the ERC4626 standard, leading to the potential
for withdrawal attempts based on maxWithdraw results to fail.
Vulnerability Details
Per the ERC4626 standard, the maxWithdraw function is required to return the maximum amount of assets that can be withdrawn without causing a revert, and this amount must not exceed the actual maximum that can be accepted.
In the BaseVault and KernelStrategy contracts, the maxWithdraw function has not been updated to include fees. As a result, it calculates the total assets without factoring in the fees, which may cause the calculated shares to exceed the user’s available shares when they attempt to withdraw the maximum amount suggested by maxWithdraw .
Vulnerable scenario
The following actions illustrate this issue:
- An external application integrates with
MaxVault, adding a feature for users to withdraw their total assets. - A user initiates a request to withdraw all their assets.
- The external application calls
maxWithdrawto determine the total withdrawable assets for that user, then invokes the withdraw function. - The
MaxVaultcomputes the shares to be burnt using thepreviewWithdrawfunction, which results in a calculation that suggests burning more shares than the user possesses. - The transaction reverts during the
_burnfunction call.
Impact
MEDIUM – This results in non-compliance with the ERC4626 standard, leading to the potential for withdrawal attempts based on maxWithdraw results to fail.
Recommendation
The maxWithdraw function should be updated to account for fees, thus providing a more accurate amount of assets that a user may withdraw.
References
Meet Composable Security
Get throughly tested by the creators of Smart Contract Security Verification Standard
