Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

First ERC4626 deposit can be exploited to break share calculation #672

Closed
code423n4 opened this issue Feb 7, 2023 · 5 comments
Closed

First ERC4626 deposit can be exploited to break share calculation #672

code423n4 opened this issue Feb 7, 2023 · 5 comments
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-243 satisfactory satisfies C4 submission criteria; eligible for awards sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") upgraded by judge Original issue severity upgraded from QA/Gas by judge

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/Vault.sol#L294-L301

Vulnerability details

Impact

This is a common attack vector involving shares based liquidity pool contracts. An early user can manipulate the price per share and profit from late users' deposits because of the precision loss caused by the rather large value of price per share.

Apparently, the first depositor of an ERC4626 vault can maliciously manipulate the share price by depositing the lowest possible amount with 1 wei of liquidity and then artificially inflating ERC4626.totalAssets.

This can inflate the base share price to as high as 1:1e18, forcing all subsequent deposits to be dictated by this share price as a base. Additionally, due to rounding down, if this malicious initial deposit were to front-run someone else depositing, this depositor would end up receiving 0 shares and losing his deposited assets.

ERC4626 vault share price can be maliciously inflated on the initial deposit, leading to the next depositor losing assets due to precision issues.

Proof of Concept

Here is a typical exploit scenario where:

A vault is using DAI as its underlying asset.

  1. Bob, the attacker, deposits an initial liquidity of 1 wei of DAI via deposit().
  2. Bob receives 1e18 (1 wei) vault of shares.
  3. Bob transfers 1 ether of DAI to the vault to artificially inflate the asset balance without minting any new shares.
  4. The asset balance is now 1 ether + 1 wei of DAI, i.e. the vault share price is now very high which is equivalent to 1000000000000000000001 wei or 1000 * 1e18.
  5. Next, Alice, the victim, deposits 100 ether of DAI.
  6. Alice receives 0 shares due to a precision issue.
  7. Alice's deposited funds are deemed lost.

Note: As denoted in the code block below, shares are determined via its return statement, supply == 0 ? assets : assets.mulDiv(supply, totalAssets(), Math.Rounding.Down). In the event of a very high share price, due to totalAssets() very much larger than assets * supply, shares will be returned 0.

File: Vault.sol#L294-L301

    function convertToShares(uint256 assets) public view returns (uint256) {
        uint256 supply = totalSupply(); // Saves an extra SLOAD if totalSupply is non-zero.

        return
            supply == 0
                ? assets
                : assets.mulDiv(supply, totalAssets(), Math.Rounding.Down);
    }

Tools Used

Manual inspection

Recommended Mitigation Steps

Consider sending the first 1000 shares to address 0, a mitigation approach adopted by the Uniswap V2 protocol when supply == 0.

Additionally, the protocol could look into implementing slippage protection to further mitigate the situations.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Feb 7, 2023
code423n4 added a commit that referenced this issue Feb 7, 2023
@code423n4
RaymondFam issue #672
25a9fe0
@c4-judge
Copy link
Contributor

dmvt marked the issue as duplicate of #15

@c4-sponsor c4-sponsor added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Feb 18, 2023
@c4-sponsor
Copy link

RedVeil marked the issue as sponsor confirmed

@c4-judge c4-judge added the partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%) label Feb 23, 2023
@c4-judge
Copy link
Contributor

dmvt marked the issue as partial-50

@c4-judge c4-judge added 3 (High Risk) Assets can be stolen/lost/compromised directly upgraded by judge Original issue severity upgraded from QA/Gas by judge and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Feb 23, 2023
@c4-judge
Copy link
Contributor

dmvt changed the severity to 3 (High Risk)

@c4-judge c4-judge added duplicate-243 satisfactory satisfies C4 submission criteria; eligible for awards and removed duplicate-15 partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%) labels Feb 23, 2023
@c4-judge
Copy link
Contributor

c4-judge commented Mar 1, 2023

dmvt marked the issue as satisfactory

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-243 satisfactory satisfies C4 submission criteria; eligible for awards sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") upgraded by judge Original issue severity upgraded from QA/Gas by judge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@code423n4 @c4-judge @c4-sponsor