Back to adeolu's contests

Olas - adeolu's results

Olas is a unified network for off-chain services like automation, oracles, co-owned AI. It offers a stack for building services and a protocol for incentivizing their creation and their operation in a co-owned and decentralized way.

General Information

Platform: Code4rena

Start Date: 21/12/2023

Pot Size: $90,500 USDC

Total HM: 10

Participants: 39

Period: 18 days

Judge: LSDan

Total Solo HM: 5

Id: 315

League: ETH

Olas

Findings Distribution

Researcher Performance

Rank: 18/39

Findings: 1

Award: $358.73

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryOlas

Findings Information

🌟 Selected for report: erebus

Also found by: adeolu, oakcobalt, thank_you, windowhan001

Labels

bug
2 (Med Risk)
satisfactory
sufficient quality report
duplicate-339

Awards

358.7303 USDC - $358.73

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-12-autonolas/blob/2a095eb1f8359be349d23af67089795fb0be4ed1/lockbox-solana/solidity/liquidity_lockbox.sol#L277

Vulnerability details

Impact

in liquidity_lockbox.sol, users can withdraws LP tokens to get the underlying tokens via withdraw(). The withdraw() makes use of whirlpool.decreaseLiquidity() to convert a LP tokens amount to the underlying tokens. In the call to whirlpool.decreaseLiquidity(), the tokenMinA and tokenMinB parameters are hardcoded to be 0. Meaning the call will not revert if zero amount of token A and token B is gotten from the call. This will mean that users can lose money in some special cases and unknowingly get zero value for their LP tokens. There is not enough slippage protection for users.

Orca whirlpool is an AMM on solana. Any removal of liquidity from the AMM pool might result in slippage whereby the final amount withdrawn differs from the expected amount.

It is better to allow for users to set or determine the minimum amount of tokens they expect to get from a trade, swap or whenever they are exiting a liquidity position.

Proof of Concept

https://github.com/code-423n4/2023-12-autonolas/blob/2a095eb1f8359be349d23af67089795fb0be4ed1/lockbox-solana/solidity/interfaces/whirlpool.sol#L193

	function decreaseLiquidity(uint128 liquidityAmount,uint64 tokenMinA,uint64 tokenMinB) external;

https://github.com/code-423n4/2023-12-autonolas/blob/2a095eb1f8359be349d23af67089795fb0be4ed1/lockbox-solana/solidity/liquidity_lockbox.sol#L277

        whirlpool.decreaseLiquidity{accounts: metasDecreaseLiquidity, seeds: [[pdaProgramSeed, pdaBump]]}(amount, 0, 0);

in this code snippet above, we can see that in line 277 of liquidity_lockbox.sol, the tokenMinA and tokenMinB are actually hardcoded to be 0 at all times. This doesnt take into consideration some extreme conditions where large slippage can occur and it puts the user at risk of loss since user has no control over the output. User may expect to get token amounts more than 0 but can actually get nothing.

Tools Used

manual review.

add extra parameters that allow the users to set the tokenMinA and tokenMinB amounts to be used in the whirlpool call. for example

    function withdraw(uint64 amount, uint64 tokenMinA, uint64 tokenMinB) external {

and in line 277

        whirlpool.decreaseLiquidity{accounts: metasDecreaseLiquidity, seeds: [[pdaProgramSeed, pdaBump]]}(amount, tokenMinA, tokenMinB);

Assessed type

Other

#0 - c4-pre-sort

2024-01-10T15:19:40Z

alex-ppg marked the issue as duplicate of #339

#1 - c4-pre-sort

2024-01-10T15:19:43Z

alex-ppg marked the issue as sufficient quality report

#2 - c4-judge

2024-01-19T20:47:13Z

dmvt marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter