Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Minting and burning synths exposes users to unlimited slippage #2

Open
code423n4 opened this issue Nov 9, 2021 · 1 comment
Open

Minting and burning synths exposes users to unlimited slippage #2

code423n4 opened this issue Nov 9, 2021 · 1 comment
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons VaderPoolV2

Comments

@code423n4
Copy link
Contributor

Handle

TomFrench

Vulnerability details

Impact

The amount of synths minted / assets received when minting or burning synths can be manipulated to an unlimited extent by manipulating the reserves of the pool

Proof of Concept

See VaderPool.mintSynth:
https://github.com/code-423n4/2021-11-vader/blob/607d2b9e253d59c782e921bfc2951184d3f65825/contracts/dex-v2/pool/VaderPoolV2.sol#L126-L167

Here a user sends nativeDeposit to the pool and the equivalent amount of foreignAsset is minted as a synth to be sent to the user. However the user can't specify the minimum amount of synth that they would accept. A frontrunner can then manipulate the reserves of the pool in order to make foreignAsset appear more valuable than it really is so the user receives synths which are worth much less than what nativeDeposit is worth. This is equivalent to a swap without a slippage limit.

Burning synths essentially runs the same process in behalf so manipulating the pool in the opposite direction will result in the user getting fewer of nativeAsset than they expect.

Recommended Mitigation Steps

Add a argument for the minimum amount of synths to mint or nativeAsset to receive.
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Nov 9, 2021
code423n4 added a commit that referenced this issue Nov 9, 2021
@code423n4
TomFrench issue #2
07ee795
@SamSteinGG SamSteinGG added sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) labels Nov 25, 2021
@SamSteinGG
Copy link
Collaborator

We believe the severity should be set to medium as there are no loss of funds and its exploit requires special circumstances to be profitable.

This was referenced Nov 25, 2021
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons VaderPoolV2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@code423n4 @SamSteinGG @0xstormtrooper