Platform: Code4rena
Start Date: 05/07/2023
Pot Size: $390,000 USDC
Total HM: 136
Participants: 132
Period: about 1 month
Judge: LSDan
Total Solo HM: 56
Id: 261
League: ETH
Rank: 99/132
Findings: 1
Award: $58.89
🌟 Selected for report: 0
🚀 Solo Findings: 0
58.8874 USDC - $58.89
It is important to be aware that certain curve pools, such as the stETH/ETH pool, may have a read-only reentrancy vulnerability. This vulnerability can potentially allow an attacker to exploit the pool's functionality in unintended ways, leading to unexpected behavior or security risks. It is recommended to exercise caution and implement appropriate safeguards when working with these pools to mitigate the risk of potential vulnerabilities.
code:
uint256 _vp = TRI_CRYPTO.get_virtual_price();
If TRI_CRYPTO represents the stETH/ETH pool, it is crucial to understand that the oracle price associated with it could be manipulated by an attacker. This manipulation can result in price inflation, ultimately allowing the attacker to gain profits through fraudulent means. It is of utmost importance to implement robust security measures and conduct regular audits to detect and prevent such manipulations, ensuring the integrity and accuracy of the price data associated with the stETH/ETH pool.
add_liquidity function to add liquidity to curve pool.reference: https://chainsecurity.com/curve-lp-oracle-manipulation-post-mortem/
vscode
Calling the pools withdraw_admin_fees function to trigger the reentrancy lock.
Oracle
#0 - c4-pre-sort
2023-08-07T03:48:31Z
minhquanym marked the issue as duplicate of #704
#1 - c4-judge
2023-09-13T08:57:37Z
dmvt marked the issue as satisfactory
#2 - c4-judge
2023-09-20T20:12:30Z
dmvt changed the severity to 2 (Med Risk)