Asymmetry contest - shuklaayush's results

Lines of code

https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/derivatives/Reth.sol#L215

Vulnerability details

Impact

RETH derivative uses uniswap v3 spot price which can be manipulated to steal from the pool

Proof of Concept

The ethPerDerivative call in the underlyingValue calculation uses the total amount currently deposited in the liquid staking derivative. https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/SafEth.sol#L73

This means that for RETH, when deposits are high, this would return poolPrice() which is the uniswap v3 spot price. This price can be manipulated https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/derivatives/Reth.sol#L211-L216 https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/derivatives/Reth.sol#L228-L242

1. Flashloan RETH and crash RETH/ETH uniswap v3 spot price
2. Stake ETH to get more shares minted (since ethPerDerivative for RETH would be small)
3. Unstake shares to get more ETH than deserved

Tools Used

Recommended Mitigation Steps

Use an oracle for RETH price

Lines of code

https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/derivatives/SfrxEth.sol#L74-L75

Vulnerability details

Impact

The frxETH derivative uses price_oracle of the curve pool which can be used to manipulate the slippage limits

Proof of Concept

Background

The price_oracle() in the Curve pool is an exponential moving average that exponentially converges from an old value to the last trade value. This is manipulatable in certain conditions. Someone can write a contract that flash-loans a large amount of token A (comparable to the amount of token A in a pool), swaps it for token B in the pool, swap the token B back to token A and repay the flash-loan. This would mean that the last price would significantly differ from the actual price. If there are no transactions on the pool for a while after this, then the pool's price_oracle() would converge to a value close to this last price and hence, very different from the actual tokenA/tokenB price.

One key point here is that this kind of price manipulation doesn't require too many funds at risk (since the flashloan is paid up). The maximum loss for the exploiter would just be the fee on the flashloan and the two swaps.

An example of this manipulation for Curve v2 pools can be found in this repo https://github.com/shuklaayush/brownie-curve-v2

Vulnerability

• Do a huge flashloan trade for frxETH/ETH pool to crash the frxETH price. Wait for some time for the price_oracle to converge to the crashed value
• Any subsequent withdrawal tx will have a low slippage limit for the frxETH -> ETH conversion and can be sandwiched

Tools Used

Recommended Mitigation Steps

Use a proper oracle