Back to thank_you's contests

Olas - thank_you's results

Olas is a unified network for off-chain services like automation, oracles, co-owned AI. It offers a stack for building services and a protocol for incentivizing their creation and their operation in a co-owned and decentralized way.

General Information

Platform: Code4rena

Start Date: 21/12/2023

Pot Size: $90,500 USDC

Total HM: 10

Participants: 39

Period: 18 days

Judge: LSDan

Total Solo HM: 5

Id: 315

League: ETH

Olas

Findings Distribution

Researcher Performance

Rank: 17/39

Findings: 1

Award: $358.73

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryOlas

Findings Information

🌟 Selected for report: erebus

Also found by: adeolu, oakcobalt, thank_you, windowhan001

Labels

bug
2 (Med Risk)
satisfactory
sufficient quality report
duplicate-339

Awards

358.7303 USDC - $358.73

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-12-autonolas/blob/main/lockbox-solana/solidity/liquidity_lockbox.sol?plain=1#L277

Vulnerability details

Impact

When a user wants to withdraw their tokens form the LiquidityLockbox, users will call the withdraw() function. In turn, when withdraw() is called, the LiquidityLockbox calls Whirlpool's decreaseLiquidity function to decrease the liquidity in a given position. When this function is called, LP tokens are burned in exchange for asset tokens. The Orca function supports passing in slippage checks, i.e. tokenMinA and tokenMinB. Unfortunately, the LiquidityLockbox passes in 0 values for both arguments:

whirlpool.decreaseLiquidity{accounts: metasDecreaseLiquidity, seeds: [[pdaProgramSeed, pdaBump]]}(amount, 0, 0);

This can lead to the user withdrawing far less tokens than expected if a sudden market shift occurs.

Proof of Concept

Imagine a scenario where a user wants to withdraw a large portion of tokens. The user calls LiquidityLockbox#withdraw. The following scenario occurs:

  1. Market shift occurs and LP/tokens exchange rate drops.
  2. User does not know this sudden change occurs and calls LiquidityLockbox#withdraw.
    • Because the slippage values are set to zero, there is no guarantee what tokens the user will receive.
  3. Tx from step 2 is complete and user is left with less tokens than expected.

Users withdrawing liquidity will not be able to control how much at minimum they would like to receive.

Tools used

Manual Review

Allow users to pass in two additional arguments in the withdraw() function to allow them to manually set the slippage values:

function withdraw(uint64 amount, uint64 minTokenA, uint64 minTokenB) external {
    .....
    // Audit: adding in the minTokenA and minTokenB values will ensure we have proper slippage checks in place. 
    whirlpool.decreaseLiquidity{accounts: metasDecreaseLiquidity, seeds: [[pdaProgramSeed, pdaBump]]}(amount, minTokenA, minTokenB);

Sources

Assessed type

Timing

#0 - c4-pre-sort

2024-01-10T15:19:51Z

alex-ppg marked the issue as duplicate of #339

#1 - c4-pre-sort

2024-01-10T15:19:57Z

alex-ppg marked the issue as sufficient quality report

#2 - c4-judge

2024-01-19T20:47:16Z

dmvt marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter