Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vote weight can be manipulated #176

Open
code423n4 opened this issue Jul 21, 2021 · 2 comments
Open

Vote weight can be manipulated #176

code423n4 opened this issue Jul 21, 2021 · 2 comments
Assignees
@verifyfirst
Labels
1 (Low Risk) bug Something isn't working disagree with severity sponsor acknowledged

Comments

@code423n4
Copy link
Contributor

Handle

cmichel

Vulnerability details

The vote weight is determined by the DAOVault and BondVault weight (voteWeight = _DAOVAULT.getMemberWeight(msg.sender) + _BONDVAULT.getMemberWeight(msg.sender)).
The weight in these vaults is the deposited LP token.
The BondVault however pays for the BASE part itself (see DAO.handleTransferIn), therefore one only needs to deposit tokens and the DAO matches the swap value.

Therefore, it's possible to manipulate the pool, deposit only a small amount of tokens (receiving a large amount of matching BASE by the DAO) and receive a large amount of LP tokens this way.
attack can be profitable:

  1. Manipulate the pool spot price by dripping a lot of BASE into it repeatedly (sending lots of smaller trades is less costly due to the path-independence of the continuous liquidity model). This increases the BASE per token price.
  2. Repeatedly call DAO.bond(amount) to drip tokens into the DAO and get matched with BASE tokens to provide liquidity. (Again, sending lots of smaller trades is less costly.) As the LP minting is relative to the manipulated low token reserve, a lot of LP units are minted for a low amount of tokens, leading to receiving large weight.
  3. Create a proposal to send the entire reserve balance to yourself by using grantFunds
  4. Unmanipulate the pool by sending back the tokens from 1. This might incur a loss.

The cost of the attack is the swap fees from the manipulation of 1. and 4. plus the (small due to manipulation) amount of tokens required to send in 2.
The profit can be the entire reserve amount which is unrelated to the pools (plus reclaiming lots of LP units over the span of the BondVault era).
The attack can be profitable under certain circumstances of:

  • high reserves
  • low liquidity in the pool

Recommended Mitigation Steps

I don't think the attack would be feasible if we couldn't get the DAO to commit the lion's share of the BASE required to acquire LP units through the BondVault incentives.
@code423n4 code423n4 added 3 (High Risk) bug Something isn't working labels Jul 21, 2021
code423n4 added a commit that referenced this issue Jul 21, 2021
@code423n4
cmichel issue #176
6ae00d5
@verifyfirst
Copy link
Collaborator

Warden must understand the bond program is extremely limited in time and amount of sparta allocated through the DAO.
If the attacker was able to obtain the entire bond allocation and weight is in sparta terms, the opportunity to attack would scale along with the pool depth and therefor total weight scales up along with the bond.
Grant funds will be capped at a % of the reserve.

@ghoul-sol
Copy link
Collaborator

Per sponsor comment, making this low risk

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@verifyfirst verifyfirst

Labels
1 (Low Risk) bug Something isn't working disagree with severity sponsor acknowledged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@verifyfirst @ghoul-sol @code423n4