Back to roguereggiant's contests

Abracadabra Mimswap - roguereggiant's results

General Information

Platform: Code4rena

Start Date: 07/03/2024

Pot Size: $63,000 USDC

Total HM: 20

Participants: 36

Period: 5 days

Judge: cccz

Total Solo HM: 11

Id: 349

League: BLAST

Abracadabra Money

Findings Distribution

Researcher Performance

Rank: 22/36

Findings: 1

Award: $208.83

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAbracadabra Money

Findings Information

🌟 Selected for report: grearlake

Also found by: Breeje, blutorque, hals, roguereggiant

Labels

bug
2 (Med Risk)
satisfactory
:robot:_36_group
duplicate-171

Awards

208.8293 USDC - $208.83

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-03-abracadabra-money/blob/1f4693fdbf33e9ad28132643e2d6f7635834c6c6/src/mimswap/MagicLP.sol#L470-L502

Vulnerability details

Impact

Adjusting the value of "I" directly influences the price. This can be exploited by a MEV bot, simply by trading just before the "adjustPrice" function and exiting right after the price change. The profit gained from this operation essentially represents potential losses for the liquidity providers who supplied liquidity to the pool.

Proof of Concept

In a PMM, I is directly linked to pricing, changing it changes the price. Bots in mem pool can monitor it and front run and sell the base token and get the quote token and immediately after price change sell the quote tokens to get more of base token.

This problem arise in the following code snippet.

    function setParameters(
        address assetTo,
        uint256 newLpFeeRate,
        uint256 newI,
        uint256 newK,
        uint256 baseOutAmount,
        uint256 quoteOutAmount,
        uint256 minBaseReserve,
        uint256 minQuoteReserve
    ) public nonReentrant onlyImplementationOwner {
        if (_BASE_RESERVE_ < minBaseReserve || _QUOTE_RESERVE_ < minQuoteReserve) {
            revert ErrReserveAmountNotEnough();
        }
        if (newI == 0 || newI > MAX_I) {
            revert ErrInvalidI();
        }
        if (newK > MAX_K) {
            revert ErrInvalidK();
        }
        if (newLpFeeRate < MIN_LP_FEE_RATE || newLpFeeRate > MAX_LP_FEE_RATE) {
            revert ErrInvalidLPFeeRate();
        }

        _LP_FEE_RATE_ = uint64(newLpFeeRate);
        _K_ = uint64(newK);
        _I_ = uint128(newI);

        _transferBaseOut(assetTo, baseOutAmount);
        _transferQuoteOut(assetTo, quoteOutAmount);
        (uint256 newBaseBalance, uint256 newQuoteBalance) = _resetTargetAndReserve();

        emit ParametersChanged(newLpFeeRate, newI, newK, newBaseBalance, newQuoteBalance);
    }

Exact similar issue was reported in the dodo v3 sherlock competition.

https://solodit.xyz/issues/m-1-adjusting-_i_-will-create-a-sandwich-opportunity-because-of-price-changes-sherlock-dodo-gsp-git

Tools Used

Solodit

This function is originally not present in the original implementation of DODO V2 and PMM don't need it to, let the free market decide the pricing of asset instead of controlling it via admin. So removing this function and still all the functionality will work fine.

Assessed type

Other

#0 - c4-pre-sort

2024-03-15T12:31:33Z

141345 marked the issue as duplicate of #171

#1 - c4-judge

2024-03-29T16:57:22Z

thereksfour marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter