Tapioca DAO - Sathish9098's results

Lines of code

https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/2286f80f928f41c8bc189d0657d74ba83286c668/contracts/markets/bigBang/BigBang.sol#L365-L370 https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/2286f80f928f41c8bc189d0657d74ba83286c668/contracts/markets/bigBang/BigBang.sol#L384-L424 https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/2286f80f928f41c8bc189d0657d74ba83286c668/contracts/markets/singularity/SGLLeverage.sol#L117-L122 https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/2286f80f928f41c8bc189d0657d74ba83286c668/contracts/Penrose.sol#L529-L534

Vulnerability details

Impact

The BigBang contract does not allow users to submit a deadline for their actions which execute swaps on Uniswap V3. This missing feature enables pending transactions to be maliciously executed at a later point.

Introducing a deadline parameter would help mitigate the risks associated with delayed transactions, changing token prices, and potential MEV exploitation.

Proof of Concept

FILE: tapioca-bar-audit/contracts/markets/bigBang/BigBang.sol

function buyCollateral(
        address from,
        uint256 borrowAmount,
        uint256 supplyAmount,
        uint256 minAmountOut,
        ISwapper swapper,
        bytes calldata dexData
    ) external notPaused solvent(from) returns (uint256 amountOut) {
        require(penrose.swappers(swapper), "SGL: Invalid swapper");

        // Let this fail first to save gas:
        uint256 supplyShare = yieldBox.toShare(assetId, supplyAmount, true);
        if (supplyShare > 0) {
            yieldBox.transfer(from, address(swapper), assetId, supplyShare);
        }

        uint256 borrowShare;
        (, borrowShare) = _borrow(from, address(swapper), borrowAmount);

        ISwapper.SwapData memory swapData = swapper.buildSwapData(
            assetId,
            collateralId,
            0,
            supplyShare + borrowShare,
            true,
            true
        );

        uint256 collateralShare;
        (amountOut, collateralShare) = swapper.swap(
            swapData,
            minAmountOut,
            from,
            dexData
        );
        require(amountOut >= minAmountOut, "SGL: not enough");

        _allowedBorrow(from, collateralShare);
        _addCollateral(from, from, false, 0, collateralShare);
    }

POC

Imagine Alice is using this function to swap some tokens for collateral. She initiates the swap with the intention of receiving a certain minimum amount of collateral, specified as minAmountOut. However, due to network congestion or other issues, her transaction remains pending for a prolonged period.

During this delay, the value of the collateral might change significantly. If the value increases, Alice might end up with more collateral than expected, which could be beneficial for her. However, if the value decreases, the amountOut she receives might be lower than her originally specified minAmountOut.

Without a deadline parameter, Introducing a deadline parameter would allow Alice to specify a time window within which the swap must be executed. If the swap is not executed within the specified timeframe, the transaction could automatically fail or be reverted, giving Alice more control over the outcome and preventing situations where she receives an unexpectedly low amount of collateral due to delays

Tools Used

Manual Audit

Recommended Mitigation Steps

Introduce a deadline parameter to all functions which potentially perform a swap on the user’s behalf.

Assessed type

MEV