You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The vote weight is determined by the DAOVault and BondVault weight (voteWeight = _DAOVAULT.getMemberWeight(msg.sender) + _BONDVAULT.getMemberWeight(msg.sender)).
The weight in these vaults is the deposited LP token.
The BondVault however pays for the BASE part itself (see DAO.handleTransferIn), therefore one only needs to deposit tokens and the DAO matches the swap value.
Therefore, it's possible to manipulate the pool, deposit only a small amount of tokens (receiving a large amount of matching BASE by the DAO) and receive a large amount of LP tokens this way.
attack can be profitable:
Manipulate the pool spot price by dripping a lot of BASE into it repeatedly (sending lots of smaller trades is less costly due to the path-independence of the continuous liquidity model). This increases the BASE per token price.
Repeatedly call DAO.bond(amount) to drip tokens into the DAO and get matched with BASE tokens to provide liquidity. (Again, sending lots of smaller trades is less costly.) As the LP minting is relative to the manipulated low token reserve, a lot of LP units are minted for a low amount of tokens, leading to receiving large weight.
Create a proposal to send the entire reserve balance to yourself by using grantFunds
Unmanipulate the pool by sending back the tokens from 1. This might incur a loss.
The cost of the attack is the swap fees from the manipulation of 1. and 4. plus the (small due to manipulation) amount of tokens required to send in 2.
The profit can be the entire reserve amount which is unrelated to the pools (plus reclaiming lots of LP units over the span of the BondVault era).
The attack can be profitable under certain circumstances of:
high reserves
low liquidity in the pool
Recommended Mitigation Steps
I don't think the attack would be feasible if we couldn't get the DAO to commit the lion's share of the BASE required to acquire LP units through the BondVault incentives.
The text was updated successfully, but these errors were encountered:
Warden must understand the bond program is extremely limited in time and amount of sparta allocated through the DAO.
If the attacker was able to obtain the entire bond allocation and weight is in sparta terms, the opportunity to attack would scale along with the pool depth and therefor total weight scales up along with the bond.
Grant funds will be capped at a % of the reserve.
Handle
cmichel
Vulnerability details
The vote weight is determined by the
DAOVault
andBondVault
weight (voteWeight = _DAOVAULT.getMemberWeight(msg.sender) + _BONDVAULT.getMemberWeight(msg.sender)
).The weight in these vaults is the deposited LP token.
The
BondVault
however pays for theBASE
part itself (seeDAO.handleTransferIn
), therefore one only needs to deposittokens
and theDAO
matches the swap value.Therefore, it's possible to manipulate the pool, deposit only a small amount of
tokens
(receiving a large amount of matchingBASE
by the DAO) and receive a large amount of LP tokens this way.attack can be profitable:
BASE
into it repeatedly (sending lots of smaller trades is less costly due to the path-independence of the continuous liquidity model). This increases theBASE
pertoken
price.DAO.bond(amount)
to driptokens
into theDAO
and get matched withBASE
tokens to provide liquidity. (Again, sending lots of smaller trades is less costly.) As the LP minting is relative to the manipulated lowtoken
reserve, a lot of LP units are minted for a low amount oftokens
, leading to receiving large weight.grantFunds
tokens
from 1. This might incur a loss.The cost of the attack is the swap fees from the manipulation of 1. and 4. plus the (small due to manipulation) amount of tokens required to send in 2.
The profit can be the entire reserve amount which is unrelated to the pools (plus reclaiming lots of LP units over the span of the
BondVault
era).The attack can be profitable under certain circumstances of:
Recommended Mitigation Steps
I don't think the attack would be feasible if we couldn't get the
DAO
to commit the lion's share of theBASE
required to acquire LP units through theBondVault
incentives.The text was updated successfully, but these errors were encountered: