Omniscia Euler Finance Audit
ConversionHelpers Manual Review Findings
ConversionHelpers Manual Review Findings
CHS-01M: Inefficient Imposition of Virtual Deposit
| Type | Severity | Location |
|---|---|---|
| Standard Conformity |  | ConversionHelpers.sol:L20-L22 |
Description:
The ConversionHelpers::conversionTotals function will impose a virtual deposit system which enforces a 1:1 ratio between the assets and underlying shares, being equivalent in security to the "basic" level described by OpenZeppelin's EIP-4626 research.
Impact:
While the EIP-4626 first-deposit inflation attack is no longer profitable due to the ConversionHelpers::conversionTotals function's virtual offsets, it does not result in a net loss for a would-be attacker and thus could potentially be carried out as a griefing attack.
Example:
14function conversionTotals(VaultCache memory vaultCache)15 internal16 pure17 returns (uint256 totalAssets, uint256 totalShares)18{19 unchecked {20 totalAssets =21 vaultCache.cash.toUint() + vaultCache.totalBorrows.toAssetsUp().toUint() + VIRTUAL_DEPOSIT_AMOUNT;22 totalShares = vaultCache.totalShares.toUint() + VIRTUAL_DEPOSIT_AMOUNT;23 }24}Recommendation:
We advise the system to offset the total shares by a single factor higher than the total assets, increasing the security level of the virtual deposit system in relation to first-deposit inflation attacks.
Specifically, a 1:1 ratio will cause the attack to not be profitable but rather result in a net-zero benefit which can still be capitalized as a griefing attack. A 1:10 ratio will cause the attack to actively hurt the would-be attacker, thereby acting as a much stronger deterrent against these types of attacks.
Alleviation (fb2dd77a6ff9b7f710edb48e7eb5437e0db4fc1a):
The Euler Finance team evaluated this exhibit and assessed the ramifications of a virtual decimal offset to create downstream complications that would not be trivially resolved.
As such, they consider the basic version (1:1) of the EIP-4626 security mechanism to be adequate for their intents and purposes as clarified in their thorough analysis blog post located here.