Omniscia Kanpeki Finance Audit
DepositManager Manual Review Findings
DepositManager Manual Review Findings
DMR-01M: Inexistent Minimum Interest Validation
| Type | Severity | Location |
|---|---|---|
| Logical Fault | Medium | DepositManager.sol:L298, L363, L391 |
Description:
The actions of the system that measure interest and either redirect it to the deposit or send it to the user as part of their withdrawal process do not actually validate that the interest is equal to what they expected to receive.
Example:
363function withdraw (address depositedToken) external nonReentrant364{365 Asset memory asset = _getAsset(depositedToken);366 Deposit memory userDeposit = _deposit[msg.sender][depositedToken];367
368 _canWithdraw(asset.vaults.deposit, depositedToken, userDeposit.amount, userDeposit.withdrawableTimestamp);369
370
371 uint256 interestToClaim = _calcClaimableInterest(asset, userDeposit, depositedToken, userDeposit.amount);372
373
374 _depositTokensOf[msg.sender].remove(depositedToken);375
376 _deposit[msg.sender][depositedToken].amount = 0;377 _deposit[msg.sender][depositedToken].withdrawableTimestamp = 0;378 _deposit[msg.sender][depositedToken].weightedAvgInterestRate = 0;379 _deposit[msg.sender][depositedToken].vaultCumulativeInterestAtLastDeposit = 0;380
381
382 _withdraw(asset, depositedToken, userDeposit.amount, userDeposit.weightedAvgInterestRate, interestToClaim);383}Recommendation:
Given the first-come first-serve nature of the protocol, we strongly recommend a slippage-like argument to be introduced in the linked functions similar to the Uniswap minimum output value to ensure that the users only withdraw their deposit if the interest they have expected to receive has been achieved.
Alleviation:
The Kanpeki Finance team has stated that this is intended behaviour and that the front-end will provide proper data to the depositors to make an informed withdrawal decision. As a result, we consider this exhibit dealt with.