Spectra - blutorque's results

Lines of code

https://github.com/code-423n4/2024-02-spectra/blob/383202d0b84985122fe1ba53cfbbb68f18ba3986/src/tokens/PrincipalToken.sol#L902

Vulnerability details

Impact

The _ibtRate generally depends on share to underlying ratio of an IBT ERC4626 vault. It has been fetched by previewRedeem 1 IBT token from the exchange directly.

Consider a scenario, where the totalSupply of IBT tokens are currently in the PT vault and the exchange rate of share to underlying is 1:2,

Since, the PT vault offers flashloan on IBT tokens, an attacker can flashloan to withdraw totalSupply of IBT tokens from the PT and redeem them for the underlyings in IBT vault. Because the total supply of the IBT ERC4626 tokens is now zero, the ratio of share to underlying resets back to 1:1. The updateYield(address) further called onFlashLoan callback, which update the _ibtRate state for every user in the PT vault.

The ibtRate has dropped, users who have not yet claimed their yield yet will lose significant amount of IBT. https://github.com/code-423n4/2024-02-spectra/blob/383202d0b84985122fe1ba53cfbbb68f18ba3986/src/libraries/PrincipalTokenUtil.sol#L104-L107

    uint256 expectedNegativeYieldInAssetRay = Math.ceilDiv(
        ibtOfPTInRay * (_oldIBTRate - _ibtRate),
        RayMath.RAY_UNIT
    );

Proof of Concept

https://github.com/code-423n4/2024-02-spectra/blob/383202d0b84985122fe1ba53cfbbb68f18ba3986/src/tokens/PrincipalToken.sol#L902 https://github.com/code-423n4/2024-02-spectra/blob/383202d0b84985122fe1ba53cfbbb68f18ba3986/src/tokens/PrincipalToken.sol#L609

Tools Used

Manual review

Recommended Mitigation Steps

It is recommended to add a requirement that IBT vault is initialize with supply greater than a certain threshold(say 1 gwei = 10**9) and also _getCurrentPTandIBTRates should reverts if it is not so. This way, the current _ibtRate will always be kept track of, even in the case that(almost) all the shares have been redeemed.

Assessed type

Other