Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QA Report #42

Open
code423n4 opened this issue Apr 8, 2022 · 3 comments
Open

QA Report #42

code423n4 opened this issue Apr 8, 2022 · 3 comments
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-04-dualityfocus/blob/main/contracts/vault_and_oracles/UniV3LpVault.sol#L623-L625

Vulnerability details

Impact

There is no direct slippage control for the results of the swaps via UniV3LpVault's _swap function, so its calls are subject to sandwich attacks. Trades can happen at a manipulated price and end up receiving fewer tokens than current market price dictates.

Placing severity to medium as swapping is used in the system during a number of core operations (repayDebt, flashFocusCall, also compoundFees and moveRange via _prepareForDeposit), while funds in some of these cases can be substantial, so sandwich attacks are often enough economically viable and thus probable, while they result in a partial fund loss.

Proof of Concept

A range of functions invoke _swap, which takes in the path and input amount, and accept any output amount:

https://github.com/code-423n4/2022-04-dualityfocus/blob/main/contracts/vault_and_oracles/UniV3LpVault.sol#L623-L625

_swap is used across the logic, including cases where amount can be substantial, which make sandwich attacks viable, for example repayDebt and flashFocusCall:

https://github.com/code-423n4/2022-04-dualityfocus/blob/main/contracts/vault_and_oracles/UniV3LpVault.sol#L520-L521

https://github.com/code-423n4/2022-04-dualityfocus/blob/main/contracts/vault_and_oracles/UniV3LpVault.sol#L379

Recommended Mitigation Steps

Consider adding minimum accepted return argument to the _swap and pass it through from mentioned user-facing functions and condition execution success on it. The user can always choose to leave the minimum empty, but there should be a way to control it at the level of total output amounts.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Apr 8, 2022
code423n4 added a commit that referenced this issue Apr 8, 2022
@code423n4
hyh issue #42
9314cb4
@0xdramaone 0xdramaone added the disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) label Apr 11, 2022
@0xdramaone
Copy link
Collaborator

0xdramaone commented Apr 11, 2022
edited

Disagree that slippage protection is needed in the _swap function, as this is used for intermediary transactions where we have surrounding slippage checks (see params.amountMin in compoundFees, moveRange, flashFocus ). So long as we meet our minExpected amounts in our final entry of liquidity into a range, we have experienced bounded net slippage.

Low risk

This was referenced Apr 11, 2022
Open
Closed
@jack-the-pug
Copy link
Collaborator

Downgraded to QA as slippage protection is done already at a higher level.

@jack-the-pug jack-the-pug added QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Apr 13, 2022
@JeeberC4
Copy link

Generating QA Report as warden did not submit one and judge downgraded issue. Preserving original title: UniV3LpVault swaps can be subject to sandwich attacks as total output can't be user controlled

@JeeberC4 JeeberC4 changed the title UniV3LpVault swaps can be subject to sandwich attacks as total output can't be user controlled QA Report Apr 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@code423n4 @jack-the-pug @0xdramaone @JeeberC4