First deposit bug

Summary

When cToken.totalSupply() == 0, an attacker can make the first deposit in a way that leads stealing of funds of other depositors. This is popularly known as first deposit bug. Since Numa cToken is fork of compound cToken, the same bugs inherited into the Numa cToken as well.

https://github.com/sherlock-audit/2024-12-numa-audit/blob/ae1d7781efb4cb2c3a40c642887ddadeecabb97d/Numa/contracts/lending/CToken.sol#L522

Root Cause

The issue is already explained in detail here.

Internal pre-conditions

Requires initial cToken.totalSupply()to be 0
And subsequent users deposits

External pre-conditions

No response

Attack Path

No response

Impact

Stealing funds of initial depositors

PoC

https://github.com/akshaysrivastav/first-deposit-bug-compv2/blob/main/test/Attack.ts

Mitigation

Mint initial liquidity to address(0), similar to uniswap

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

035.md

035.md

First deposit bug

Summary

Root Cause

Internal pre-conditions

External pre-conditions

Attack Path

Impact

PoC

Mitigation

Files

035.md

Latest commit

History

035.md

File metadata and controls

First deposit bug

Summary

Root Cause

Internal pre-conditions

External pre-conditions

Attack Path

Impact

PoC

Mitigation