Back to n33k's contests

Good Entry - n33k's results

The best day trading platform to make every trade entry a Good Entry.

General Information

Platform: Code4rena

Start Date: 01/08/2023

Pot Size: $91,500 USDC

Total HM: 14

Participants: 80

Period: 6 days

Judge: gzeon

Total Solo HM: 6

Id: 269

League: ETH

Good Entry

Findings Distribution

Researcher Performance

Rank: 33/80

Findings: 1

Award: $250.17

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryGood Entry

Findings Information

🌟 Selected for report: nemveer

Also found by: 0xBeirao, Hama, Madalad, n33k

Labels

bug
2 (Med Risk)
downgraded by judge
satisfactory
duplicate-367

Awards

250.1744 USDC - $250.17

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-08-goodentry/blob/main/contracts/GeVault.sol#L271-L282 https://github.com/code-423n4/2023-08-goodentry/blob/main/contracts/GeVault.sol#L392-L398 https://github.com/code-423n4/2023-08-goodentry/blob/main/contracts/GeVault.sol#L423

Vulnerability details

Impact

The deposit function in GeVault is vulnerable to inflation attack. The attacker can inflate the getTVL() function by donating aTokens to GeVault. This allows the attacker to steal funds from the first depositor.

Proof of Concept

function deposit(address token, uint amount) public payable nonReentrant returns (uint liquidity)
{
    ....

    uint vaultValueX8 = getTVL();
    uint tSupply = totalSupply();
    // initial liquidity at 1e18 token ~ $1
    if (tSupply == 0 || vaultValueX8 == 0)
      liquidity = valueX8 * 1e10;
    else {
      liquidity = tSupply * valueX8 / vaultValueX8;
    }

    rebalance();
    require(liquidity > 0, "GEV: No Liquidity Added");
    _mint(msg.sender, liquidity); 
    emit Deposit(msg.sender, token, amount, liquidity);
}

In the deposit function, the vaultValueX8 variable is determined by the output of the getTVL function. The vulnerability arises when an attacker uses the following steps:

  1. After the GeVault is deployed. The attacker monitors mempool for deposit tx. When he saw a deposit tx.
  2. The attacker frontruns and deposits a small amount of tokens into the vault to mint liquidity.
  3. They then burn their minted liquidity by withdrawing, leaving only 2 wei of liquidity.
  4. The attacker inflates the vaultValueX8 returned from the getTVL function by calling the underlying TokenisableRange::deposit to mint aToken and donates it to GeVault.
  5. In the equation liquidity = tSupply * valueX8 / vaultValueX8, where tSupply is 2 wei and valueX8 is a known value, the attacker can inflate the vaultValueX8 to make the result approximately 1.9999 wei. This causes liquidity to round down to 1 wei, resulting in the user losing the 0.9999 wei equivalent fund to the pool.
  6. The user can then withdraw all their liquidity and profit from the vulnerability.

Note this line won't protect the user,

require(liquidity > 0, "GEV: No Liquidity Added");

Tools Used

Manual review

After the GeVault is depolyed, mint a few liquidity and lock it.

Assessed type

Math

#0 - c4-pre-sort

2023-08-09T10:25:53Z

141345 marked the issue as duplicate of #367

#1 - c4-judge

2023-08-19T16:20:43Z

gzeon-c4 changed the severity to 2 (Med Risk)

#2 - c4-judge

2023-08-20T17:14:05Z

gzeon-c4 marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter