Trader Joe v2 contest - philogy's results

One-stop-shop decentralized trading on Avalanche.

General Information

Platform: Code4rena

Start Date: 14/10/2022

Pot Size: $100,000 USDC

Total HM: 12

Participants: 75

Period: 9 days

Judge: GalloDaSballo

Total Solo HM: 1

Id: 171

League: ETH

Trader Joe

Findings Distribution

Researcher Performance

Rank: 35/75

Findings: 1

Award: $69.50

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Trader Joe

Findings Information

🌟 Selected for report: shung

Also found by: 0x52, KingNFT, Trust, parashar, philogy, rvierdiiev

Labels

bug

2 (Med Risk)

satisfactory

duplicate-136

Awards

69.4984 USDC - $69.50

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-10-traderjoe/blob/79f25d48b907f9d0379dd803fc2abc9c5f57db93/src/LBPair.sol#L452 https://github.com/code-423n4/2022-10-traderjoe/blob/79f25d48b907f9d0379dd803fc2abc9c5f57db93/src/LBPair.sol#L453

Vulnerability details

Impact

The LBPair contract's flashLoan method allows borrowers to borrow funds in an atomic flashloan. The borrowed tokens must be returned along with a fee. This fee is however only distributed to liquidity providers of the currently active price range in the pair also referred to as "bin", that is despite the borrower being able to use funds deposited for other bins. Depending on the liquidity in the active bin a borrower could also atomically move the price to a price range in which they're the only liquidity provider to achieve a very low practical borrowing cost.

Proof of Concept

Initiate flashloan
Repay flashloan with fee
Compare accrued fees for accounts providing liquidity in the active vs. not active bins via pendingFees.

Tools Used

Manual review.

Recommended Mitigation Steps

Add global fee accumulator for tokens X and Y track fees accruing globally to all liquidity providers of a given pool. In the flashLoan method update the global accumulator rather than the bin specific accumulator to ensure that the fee is fairly shared across all liquidity providers proportional to their contribution.

#0 - Shungy
2022-10-23T22:04:01Z

I find this finding to be valid.

Duplicate: https://github.com/code-423n4/2022-10-traderjoe-findings/issues/136

I believe it can be higher severity as the exploit path is practical and protocol fee loss is a loss. A finding can still be high risk without being critical.

Disclaimer: I submitted the same finding, hence increase of severity would benefit me.

#1 - GalloDaSballo
2022-10-26T17:02:55Z

Dup of https://github.com/code-423n4/2022-10-traderjoe-findings/issues/136

#2 - c4-judge
2022-11-13T17:19:48Z

GalloDaSballo marked the issue as satisfactory

#3 - c4-judge
2022-11-16T21:50:20Z

GalloDaSballo marked the issue as not a duplicate

#4 - c4-judge
2022-11-16T21:50:50Z

GalloDaSballo marked the issue as duplicate of #136

Trader Joe v2 contest - philogy's results

One-stop-shop decentralized trading on Avalanche.

General Information

Findings Distribution

Researcher Performance

External Links

[M-03] Flashloan Fee Distributed Only To Active Bin And Not Equally - $69.50

Findings Information

Labels

Awards

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - Shungy2022-10-23T22:04:01Z

#1 - GalloDaSballo2022-10-26T17:02:55Z

#2 - c4-judge2022-11-13T17:19:48Z

#3 - c4-judge2022-11-16T21:50:20Z

#4 - c4-judge2022-11-16T21:50:50Z

#0 - Shungy
2022-10-23T22:04:01Z

#1 - GalloDaSballo
2022-10-26T17:02:55Z

#2 - c4-judge
2022-11-13T17:19:48Z

#3 - c4-judge
2022-11-16T21:50:20Z

#4 - c4-judge
2022-11-16T21:50:50Z