[Security] Critical: Zero NAV State Causes Irreversible Loss of User Funds #1
Description
Summary
A successful transaction deterministically burns user shares while transferring zero currency tokens in return. This occurs without revert and without any recovery mechanism. All value loss is final.
Note: This is a private security disclosure. Please do not make this issue public. I am happy to provide additional evidence and discuss remediation.
Severity
Critical - Direct, irreversible loss of user funds.
Affected Component
markets/open-fund-market/contracts/OpenFundMarket.sol(Line 237-268,setRedeemNav)sft/abilities/contracts/fcfs-multi-repayable/FCFSMultiRepayableConcrete.sol(Line 44-48,claimOnlyDelegate)
Root Cause
setRedeemNav() accepts nav_ = 0 without validation. When a user subsequently calls claim(), the payout is calculated as claimValue * 0 / 1e18 = 0, but shares are already burned.
State Transition (Proof)
| State | User Shares | User Currency | Pool Currency |
|---|---|---|---|
| Before | 1e18 | 0 | 1e18 |
| After | 0 (burned) | 0 | 1e18 (retained) |
Result: User loses 100% of principal. No revert. No recovery path.
Suggested Fix
require(nav_ > 0, "NAV must be positive");Contact
I have a full evidence package (Foundry PoC, state snapshots, invariant analysis) ready to share. Please reach out to discuss.
Best regards,
Tatsuya