Platform: Code4rena
Start Date: 21/11/2022
Pot Size: $90,500 USDC
Total HM: 18
Participants: 101
Period: 7 days
Judge: Picodes
Total Solo HM: 4
Id: 183
League: ETH
Rank: 82/101
Findings: 2
Award: $41.25
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Jeiwan
Also found by: 0xLad, 0xSmartContract, 8olidity, HE1M, JohnSmith, KingNFT, Koolex, Lambda, R2, __141345__, carrotsmuggler, cccz, gogo, hl_, joestakey, koxuan, ladboy233, pashov, peanuts, rbserver, rvierdiiev, seyni, unforgiven, xiaoming90, yongskiws
25.3241 USDC - $25.32
https://github.com/code-423n4/2022-11-redactedcartel/blob/main/src/vaults/PirexERC4626.sol#L60-L77 https://github.com/code-423n4/2022-11-redactedcartel/blob/main/src/vaults/PirexERC4626.sol#L80-L97
The user who deposits first can perform a "donation" attack on the user who deposits afterwards. The second user expects to get D shares for a deposit of D assets, but will get significantly less than D shares.
The issue is present in the deposit() and mint() functions of the PirexERC4626 contract. The issue is also present in depositGmx() and depositGlp()
Bob deposited for 66.2% (100 / 151) of the assets in the vault, but is only entitled to 50% (both he and Alice have 1 wei of shares). Bob can only withdraw 75.5 * 1e18 assets and has lost ~25% of his original deposit.
Add a minimum deposit size for the first deposit, or add "virtual" assets and shares when doing conversions. See YieldBox for an example.
#0 - c4-judge
2022-12-03T21:15:28Z
Picodes marked the issue as duplicate of #407
#1 - c4-judge
2023-01-01T11:07:00Z
Picodes marked the issue as satisfactory
#2 - C4-Staff
2023-01-10T21:53:51Z
JeeberC4 marked the issue as duplicate of #275
🌟 Selected for report: deliriusz
Also found by: 0x52, 0xLad, 0xbepresent, Englave, R2, Ruhum, cccz, gzeon, hihen, keccak123, ladboy233, pashov, pedroais, perseverancesuccess, rbserver, rvierdiiev, simon135, unforgiven, wagmi, xiaoming90
15.9293 USDC - $15.93
https://github.com/code-423n4/2022-11-redactedcartel/blob/03b71a8d395c02324cb9fdaf92401357da5b19d1/src/vaults/AutoPxGmx.sol#L242-L247 https://github.com/code-423n4/2022-11-redactedcartel/blob/03b71a8d395c02324cb9fdaf92401357da5b19d1/src/PirexRewards.sol#L373
Vault rewards may be drained through a combination of claimRewards(),
compound(), and uniswap trades by the attacker.
claimRewards({producerToken: WETH, user: vault}) to get WETH into the vault.compound({fee: poolFee, amountOutMinimum: 1, sqrtPriceLimitX96: 0, optOutIncentive: true}) . The attacker sandwiches this transaction with two transactions which purchase and sell WETH.Only allow compound() to be called by trusted operators. Additionally, consider calculating amountOutMinimum based on chainlink oracle prices.
#0 - c4-judge
2022-12-03T18:49:15Z
Picodes marked the issue as duplicate of #183
#1 - c4-judge
2022-12-30T20:53:41Z
Picodes marked the issue as duplicate of #185
#2 - c4-judge
2023-01-01T11:13:14Z
Picodes marked the issue as satisfactory
#3 - c4-judge
2023-01-01T11:37:32Z
Picodes changed the severity to 2 (Med Risk)
#4 - C4-Staff
2023-01-10T22:10:37Z
JeeberC4 marked the issue as duplicate of #137