Tapioca DAO - hack3r-0m's results

Lines of code

https://github.com/Tapioca-DAO/tapioca-periph-audit/blob/023751a4e987cf7c203ab25d3abba58f7344f213/contracts/oracle/implementations/ARBTriCryptoOracle.sol#L117

Vulnerability details

Impact

ARBTriCryptoOracle is used to determine price of LP token of tricrypto (USDT, WBTC, WETH) on arbitrum. This pool is susceptible to re-entrancy due to bug in vyper 0.2.15.

and hence get_virtual_price can be manipulated which is used for pricing LP tokens.

Proof of Concept

Arbitrum tricrypto allows to exchange/swap with native ETH as recepient

• Attacker implements fallback on their contract and calls exchange(..., use_eth=true) with flasloaned tokens on tricrypto
• It inflates self.D variable impacting calculation of get_virtual_price in rest of the call context
• Due to this, virtual_price can be decreased to very large extent
• If this price is used to calcuate slippage while swapping, adding liquidity or removing liquidity then it will lead to loss to the protocol

Tools Used

Manual Review

Recommended Mitigation Steps

Use latest crvUSD tricrypto pool and wait for curve team to release oracle for that or use offchain oracle

Assessed type

Oracle

Lines of code

https://github.com/Tapioca-DAO/tapioca-yieldbox-strategies-audit/blob/05ba7108a83c66dada98bc5bc75cf18004f2a49b/contracts/glp/GlpStrategy.sol#L166-L178

Vulnerability details

Impact

glpRewardRouter.mintAndStakeGlp(address(weth), wethAmount, 0, 0);

Here, minUSDG = 0 and minGlp = 0 means no slippage checks.

This can be sandwitched in certain conditions in which delta between min and max glp price is higher due to following factors:

• delta between min and max price reported by gmx fast price feed
• delta between optimal weight of WETH (since WETH is used for minting) and current weight of WETH in GLP pool
• open interest imbalance

However, there is mint and burn fee of 0.1% on GLP and hence in usual conditions, it would be rare perform profitable sandwitch.

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.

Tools Used

Manual Review

Recommended Mitigation Steps

Add one of min output amount in mintAndStakeGlp (ref: https://github.com/RageTrade/delta-neutral-gmx-vaults/blob/main/contracts/libraries/DnGmxJuniorVaultManager.sol#L288-L300 )

Assessed type

Oracle