Platform: Code4rena
Start Date: 26/09/2022
Pot Size: $50,000 USDC
Total HM: 13
Participants: 113
Period: 5 days
Judge: 0xean
Total Solo HM: 6
Id: 166
League: ETH
Rank: 81/113
Findings: 1
Award: $35.48
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xSmartContract
Also found by: 0xDecorativePineapple, 0xNazgul, 0xmatt, Jeiwan, Trust, berndartmueller, brgltd, catchup, ch13fd357r0y3r, cryptonue, ladboy233, minhtrng, neko_nyaa, rbserver, rvierdiiev, s3cunda
35.4829 USDC - $35.48
https://github.com/code-423n4/2022-09-quickswap/blob/main/src/core/contracts/AlgebraPool.sol#L193-L206 https://github.com/code-423n4/2022-09-quickswap/blob/main/src/core/contracts/AlgebraFactory.sol#L58-L74 https://github.com/code-423n4/2022-09-quickswap/blob/main/src/core/contracts/AlgebraPoolDeployer.sol#L43-L53
hackers can set the initial price to an arbitrary number, which can cause the insolvency of the protocol.
there is no function AlgebraPool.initialize invocation during the full creation process of AlgebraPool, which means the deployment and initialize are two separate step, and the initialize function has no restriction of the caller, so theorically anyone can call this function once they know the pool address. review the creation process of the pool in factory and deployer contract, you're using new method to create the pool contract, and new method is in fact using create2 in evm, so the address is predictable, so the above mentioned exploitation is totaly feasible. so the step is: hacker monitoring the mempool, fetch the creation of the pool, and then backrun this txn or front run the initialize function call txn, set the price into a very unreasonable number.
combine the creation and initialize step into one,
#0 - 0xean
2022-10-02T22:21:30Z
dupe of #84