Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Description
Finding Description and Impact
Operators or administrators can deallocate assets from a designated strategy via MYTStrategy::deallocate. Furthermore, operators can set the withdrawal amount, resulting in the burning of the corresponding share tokens associated with MYTStrategy. Moreover, CR will shift in both directions (top and bottom) within Peapods, resulting in more Tokens of MYTStrategy being burned upon deallocation than expected, resulting in financial loss due to insufficient slippage management.
A 500 share token burn is anticipated by the operator. The operator's transaction will be sent to the mempool, and since the CR was 0.90 prior to the deallocation transaction, 555 share tokens—more than anticipated—will be burned.
Impact
There is "Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield - Critical" going on because bad CR changes during the deallocate operation make the strategy burn a lot more share tokens than planned (555 instead of 500 in this case). These extra shares that were burned represent real user funds that are lost forever when they are withdrawn. This is theft of principal funds "in-motion" instead of yield loss, because users lose money right away when their share amount drops below what it should. Attackers or bad market conditions can take advantage of the lack of slippage protection, which causes measurable fund loss on every deallocation transaction that is impacted.
