In _depositOnVaultCreation, assets are not coverted into shares

[hats-bug-reporter]

Github username: --
Twitter username: --
Submission hash (on-chain): 0x6136a377e37728893b5ff6432b34d5f304b13b9baf6c039465823a705d33e801
Severity: high

Description:
Description
Upon creation of an Atom, a user can be the first depositor in the Atom they've created using _depositOnVaultCreation. They send msg.value that should be their deposited amount.

The problem is the assets amount is used as shares and the user will get much more shares than he should.

        uint256 sharesForReceiver = assets;
        _mint(receiver, id, sharesForReceiver);

As we can see in the _deposit, getDepositSharesAndFees is called to calculate the shares for the provided amount.

        (uint256 totalAssetsDelta, uint256 sharesForReceiver, uint256 userAssetsAfterTotalFees, uint256 entryFee) =
            getDepositSharesAndFees(value, id);

Attack Scenario
Let's assume 5 assets = 1 share;

User deposits 5 assets, 5 shares will be minted to him. Later when he redeem, he will have 5 shares which will be equal to 25 assets.

Making the user get 20 more assets with only 5 deposited.

Describe how the vulnerability can be exploited.

Attachments

1. Proof of Concept (PoC) File

2. Revised Code File (Optional)

+        (uint256 totalAssetsDelta, uint256 sharesForReceiver, uint256 userAssetsAfterTotalFees, uint256 entryFee) = getDepositSharesAndFees(assets, id);
+        uint256 sharesForReceiver = sharesForReceiver;

-        uint256 sharesForReceiver = assets;

[mihailo-maksa]

Duplicate of issue #74.