Fei Protocol contest - cmichel's results

Handle

cmichel

Vulnerability details

The preMergeCirculatingTribe value of TRIBERagequit.sol is supposed to be 619,605,725.325389147000000000 according to this post.

But it's 711,206,739.862133.

Recommendation

Set preMergeCirculatingTribe = 619605725325389147000000000

Handle

cmichel

Vulnerability details

The TRIBERagequit.ngmi function takes in TRIBE and gives out FEI tokens at a dynamic price (token1OutBase) that involves the protocol equity, see requery. This price can change and be updated by anyone by calling requery(). The price is adjusted down, meaning it's possible to receive less token1s than expected.

POC

1. Victim sees the current token1OutBase price and wants to exit their position and submits a ngmi transaction
2. Attacker frontruns the ngmi transaction by calling requery which can lower the token1OutBase price if the newProtocolEquity has decreased
3. Victim transaction is mined and they receive fewer tokens than desired

Impact

Users can receive fewer tokens than expected when calling ngmi.

Recommendation

Add minimum return amount checks. Accept a function parameter minToken1Amount that can be chosen by the transaction sender, then check that the actually received amount token1GivenTotal is greater or equal to this parameter, and reverts otherwise.

Handle

cmichel

Vulnerability details

The TRIBERagequit.recalculate function is public and can be called by anyone. It only uses already cached values and therefore there's no reason for anyone to actually call it. Note that when minProtocolEquity changes, this function is always called afterwards.

It should be internal instead and only be called by requery.