Platform: Code4rena
Start Date: 25/11/2021
Pot Size: $80,000 USDC
Total HM: 35
Participants: 32
Period: 7 days
Judge: GalloDaSballo
Total Solo HM: 27
Id: 59
League: ETH
Rank: 25/32
Findings: 1
Award: $298.01
π Selected for report: 1
π Solo Findings: 0
298.0144 USDC - $298.01
danb
System profit comes from the stabilize function when the price of malt is above 1. Therefore it should not be allowed for anyone to take a part of the system profit when the price is above one. Right now, anyone can take a part of the investors' profits, even if they don't own any malt at all.
suppose that the price went up to 1.2 dai; the investors should get the reward for this rise. instead, anyone can take a part of the reward in the following steps: The price of malt is now 1.2 dai. Take a flash loan of a large amount of malt. Sell the malt for dai. Now the price went down to 1.1 dai because of the enormous swap. Call stabilize in order to lower the price to 1 dai. Buy malt to repay the flash loan at a lower cost with the bought dai. Repay the flash loan, and take the profit.
It is a sandwich attack because they sold malt for a high price, then they called stabilize to lower the value, then repurchase it for a low price.
The user made a profit at the expense of the investors.
If a user already has malt, itβs even easier: just sell all malt at a high cost.
manual review.
in _beforeTokenTransfer, if the price is above 1$ and the receiver is the AMM pool, stabilize it.
#0 - GalloDaSballo
2022-01-11T23:00:23Z
@0xScotch The warden says that if the price is above the peg price, the system should stabilize it
From reading the PoolTransferVerification.verifyTransfer, the system wants you to trade when Malt is above peg (minus tolerance)
Would you say this finding is invalid?
#1 - 0xScotch
2022-01-22T15:05:50Z
@0xScotch The warden says that if the price is above the peg price, the system should stabilize it From reading the
PoolTransferVerification.verifyTransfer, the system wants you to trade when Malt is above peg (minus tolerance)Would you say this finding is invalid?
I think the issue being pointed out is that the stabilization above peg can be sandwiched and some profit that would go to LPs can be extracted. I think this is an issue but its not absolutely critical.
We have discussed internally how to deal with this and the suggestion of calling stabilize would require some additional logic in the transfer verification as it would create a circular execution path.
I don't think that is an issue but we will consider how to best move ahead with it.
#2 - GalloDaSballo
2022-01-23T15:45:19Z
Let's dissect the warden's finding:
The price of malt is now 1.2 dai. Take a flash loan of a large amount of malt. Sell the malt for dai. Now the price went down to 1.1 dai because of the enormous swap. Call stabilize in order to lower the price to 1 dai. Buy malt to repay the flash loan at a lower cost with the bought dai. Repay the flash loan, and take the profit.
-> Flashloan Malt (assumes liquidity to do so, but let's allow that) -> Sell malt for dai -> price goes lower -> Call stabilize -> system reduces price even further -> Buy back the malt -> repay the loan
I feel like this is something that can't really be avoided as due to the permissionless nature of liquidity pools, limiting the ability to sell or buy to a path will be sidestepped by having other pools being deployed to avoid those checks.
That said, the warden has identified a way to leak value from the price control system.
To be precise the value is being extracted against traders, as to get Malt to 1.2 you'd need a trader to be so aggressive in their purchase to push the price that high. The warden showed how any arber / frontrunner can then "steal" the potential profits of the malt system users by frontrunning them.
Due to the profit extraction nature of the finding, I believe Medium Severity to be correct