New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Yield of LiquidityReserve
can be stolen
#164
Comments
This is not unique to the protocol and is a vulnerability in almost all of the LP designs that are prevalent today. There is no loss of user funds here either. Would downgrade too Low or QA. |
In standard cases of JIT, for example in a DEX, the attacker takes a risk as the liquidity he adds is used during the swap, and this liquidity is useful for the protocol as leads to a better price for the user, which is not the case here |
@Picodes - that is fair but the liquidity is still useful and I still don't see how this qualifies as high severity. Eventually it would mean that the liquidity reserve would need less liquidity parked in it if JITers always where hitting it. |
To me it's high because: (correct me if I am missing things)
|
Agree going to leave this as high. Any whale that does a large unstake will be susceptible to having more of the fee's eroded to a predatory sandwich attack which provides no value to the system. |
@JeeberC4 what is the duplicate issue ? |
@moose-code, @JasoonS, @DenhamPreen this is flagged as a duplicate of H-06, is it a mistake ? |
Thanks, seems it was made a duplicate by mistake. |
Lines of code
https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/LiquidityReserve.sol#L126
https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/LiquidityReserve.sol#L176
https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/LiquidityReserve.sol#L206
Vulnerability details
Impact
Using sandwich attacks and JIT (Just-in-time liquidity), the yield of
LiquidityReserve
could be extracted for liquidity providers.Proof of Concept
The yield of
LiquidityReserve
is distributed when a user callsinstantUnstakeReserve()
inStaking
. Then, ininstantUnstake
,totalLockedValue
increases with the fee paid by the user withdrawing. The fee is shared between all liquidity providers as they all see the value of their shares increase.Therefore, an attacker could do the following sandwich attack when spotting a call to
instantUnstakeReserve()
.stakingToken
andaddLiquidity
leading to a fee of say
x`removeLiquidity
and repay the loan, taking a large proportion of the user feeThe problem here is that you can instantly add and remove liquidity without penalty, and that the yield is instantly distributed.
Recommended Mitigation Steps
To mitigate this, you can
The text was updated successfully, but these errors were encountered: