Platform: Code4rena
Start Date: 20/01/2022
Pot Size: $50,000 USDC
Total HM: 3
Participants: 35
Period: 7 days
Judge: GalloDaSballo
Total Solo HM: 2
Id: 77
League: ETH
Rank: 6/35
Findings: 2
Award: $845.00
π Selected for report: 0
π Solo Findings: 0
845.0019 USDC - $845.00
hyh
A griefing by LP inflation attack is possible: an attacker can create pools for popular token pairs, provide a tiny amount of initial liquidity with addLiquidity(), then send big enough amounts of base and quote tokens to the pool contract (Exchange) just created, making the tiny amount of LP tokens correspond to big enough balances of base and quote, i.e. LP token will become prohibitory costly for anyone else to provide liquidity.
The pool will be inoperable as a result, while no new pools can be created for the same token pairs as ExchangeFactory require them to be unique. This way the attacker can deny the creation of an operable pool for any given pair.
createNewExchange require new pool to be unique, but no liquidity has to be added:
Initial liquidity is set by the first LP (desired amounts are user provided addLiquidity function arguments):
All the subsequent LP providers will deal with base and quote pool reserves:
Whose values can be inflated by sending tokens to the pool contract:
This attack vector was discovered for Uniswap V2 (in a bit different setting, here inflating the balances gives the same impact as burn there):
https://docs.vexchange.io/audit.html#orgc7f8ae1
Consider requiring initial LP provision on pool creation and burning of fixed amount of initial LP tokens
#0 - 0xean
2022-01-31T13:44:24Z
We are planning on implementing a minimum locked token balance similar to Uni v2.
Would say this is a med sev issue as it affects our availability but no assets are at risk
#1 - GalloDaSballo
2022-02-07T01:14:12Z
Duplicate of #145