Platform: Code4rena
Start Date: 26/09/2022
Pot Size: $50,000 USDC
Total HM: 13
Participants: 113
Period: 5 days
Judge: 0xean
Total Solo HM: 6
Id: 166
League: ETH
Rank: 84/113
Findings: 1
Award: $35.48
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xSmartContract
Also found by: 0xDecorativePineapple, 0xNazgul, 0xmatt, Jeiwan, Trust, berndartmueller, brgltd, catchup, ch13fd357r0y3r, cryptonue, ladboy233, minhtrng, neko_nyaa, rbserver, rvierdiiev, s3cunda
35.4829 USDC - $35.48
There is no access control on AlgebraPool.initialize(). That means anyone can set an initial pool price, which can be any value.
This creates an arbitrage opportunity. An exploit scenario is as follow:
initialize() with a bad price, say 1 A = 10 B.mint(). Note that Alice has to add liquidity at Bob's ratio.The result is that Alice's added liquidity ratio is radically different from the market, exposing her position to massive impermanent loss, and Bob (as well as others) can arbitrage off this pool.
VSCode
The key point here is that the pool deployer's operations should be atomic. That is, no one should be able to perform any pool operations before settings are complete.
The recommended solution is to add proper access controls to initialize(), ensuring only the pool deployer can set the initial price. However, this should potentially come with a time release, to allow anyone to set initial price if the deployer fails to initialize within a reasonable time frame (preventing a DoS).
Adding initial price as a constructor parameter is not a solution, as it can change the contract creation code, invalidating the assumption that we can pre-calculate pool addresses before deployment.
#0 - IliaAzhel
2022-10-04T13:05:30Z
duplicate of #84