Back to 0x52's contests

Mimo DeFi contest - 0x52's results

Bridging the chasm between the DeFi world and the world of regulated financial institutions.

General Information

Platform: Code4rena

Start Date: 28/04/2022

Pot Size: $50,000 USDC

Total HM: 7

Participants: 43

Period: 5 days

Judge: gzeon

Total Solo HM: 2

Id: 115

League: ETH

Mimo DeFi

Findings Distribution

Researcher Performance

Rank: 31/43

Findings: 1

Award: $104.94

🌟 Selected for report: 0

πŸš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryMimo DeFi

Findings Information

🌟 Selected for report: Dravee

Also found by: 0x1f8b, 0x4non, 0x52, 0xDjango, AlleyCat, Funen, GalloDaSballo, GimelSec, Hawkeye, MaratCerby, Picodes, berndartmueller, cccz, defsec, delfin454000, dipp, hyh, ilan, joestakey, kebabsec, luduvigo, pauliax, peritoflores, robee, rotcivegaf, samruna, shenwilly, sikorico, simon135, sorrynotsorry, unforgiven, z3s

Awards

104.9405 USDC - $104.94

Labels

bug
disagree with severity
QA (Quality Assurance)
sponsor acknowledged

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/core/contracts/oracles/BalancerV2LPOracle.sol#L88-L115

https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/core/contracts/oracles/GUniLPOracle.sol#L91-L118

Vulnerability details

Oracle reports incorrect valuation of LP when the decimals from OracleA and OracleB decimals don't match

Impact

LP is overvalued allowing a malicious borrower to value more than the LP is worth

Proof of Concept

Assume a very simple pool with 10LP containing two assets, 1 of each valued at $1 each and that the oracle for asset A reports with 4 decimals and asset B with 3 decimals

That would give us the following inputs into _computerFairReserves() resA - 1e18 resB - 1e18 wA - 0.5 wB - 0.5 pxA - 10000 ($1 reported at 4 decimals) pxB - 1000 ($1 reported at 3 decimals)

Now we'll walk through _computerFairReserves() r0 = resA/resB = 1 r1 = (wApxB)/(wBpxA) = 0.1

r0 > r1 ratio = r1/r0 = 0.1

fairResA = = 0.316 fairResB = = 3.162

Plug that into the answer equation

answer = (fairResApxA + fairResBpxB) / total supply = 632 (3 decimal places)

The true value of the LP is calculated as: AmountAPriceA + AmountBPriceB = 200 (3 decimal places)

In this scenario it values the LP at ~3.16x it's true value

Tools Used

Excel

Normalize the answer from the oracle to a standard number of decimals to avoid mismatch

#0 - kartoonjoy

2022-05-02T14:11:57Z

Updated Lines of Code section per warden request in help desk ticket, https://www.notion.so/code4rena/Found-repeat-bug-99145d23b99e455a814366e03c6622b5.

#1 - m19

2022-05-05T08:44:00Z

We agree this issue exists but we don't think it's high risk because all Chainlink oracles are 8 decimals

#2 - gzeoneth

2022-06-05T14:11:07Z

It would be nice to check the decimal but one could argue this is for gas optimization and gated by admin. Downgrading to Low / QA.

#3 - gzeoneth

2022-06-05T16:24:02Z

Consider as warden's QA report.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Β© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter