Redemption value of synths can be manipulated to drain VaderPool
of all native assets
#3
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
question
Further information is requested
VaderPoolV2
Handle
TomFrench
Vulnerability details
Impact
Draining of funds from
VaderPool
Proof of Concept
See the
VaderPool.mintSynth
function:https://github.com/code-423n4/2021-11-vader/blob/607d2b9e253d59c782e921bfc2951184d3f65825/contracts/dex-v2/pool/VaderPoolV2.sol#L126-L167
As the pool's reserves can be manipulated through flashloans similar to on UniswapV2, an attacker may set the exchange rate between
nativeAsset
and synths (calculated from the reserves). An attacker can exploit this to drain funds from the pool.foreignAsset
to the pool. The pool now thinksnativeAsset
is extremely valuable.nativeAsset
to mint synths usingVaderPool.mintSynth
. As the pool thinksnativeAsset
is very valuable the attacker will receive a huge amount of synths.foreignAsset
they sold to the pool.nativeAsset
is now back at its normal price, or perhaps artificially low if the attacker wishes.nativeAsset
is considered much less valuable than at the point the synths were minted it takes a lot more ofnativeAsset
in order to pay out for the burned synths.For the price of a flashloan and some swap fees, the attacker has now managed to extract a large amount of
nativeAsset
from the pool. This process can be repeated as long as it is profitable.Recommended Mitigation Steps
Prevent minting of synths or at the very least tie the exchange rate to a manipulation resistant oracle.
The text was updated successfully, but these errors were encountered: