New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Logical error in LBToken#_burn causes loss of access to LBTokens #179
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-108
satisfactory
satisfies C4 submission criteria; eligible for awards
Comments
code423n4
added
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
labels
Oct 20, 2022
Seems to make sense, cool find. |
This was referenced Oct 23, 2022
Pretty much as good as #125 |
Dup of #125 |
GalloDaSballo changed the severity to 2 (Med Risk) |
c4-judge
added
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
downgraded by judge
Judge downgraded the risk level of this issue
and removed
3 (High Risk)
Assets can be stolen/lost/compromised directly
labels
Nov 11, 2022
c4-judge
added
the
satisfactory
satisfies C4 submission criteria; eligible for awards
label
Nov 11, 2022
GalloDaSballo marked the issue as satisfactory |
GalloDaSballo marked the issue as not a duplicate |
GalloDaSballo marked the issue as duplicate of #108 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-108
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-10-traderjoe/blob/79f25d48b907f9d0379dd803fc2abc9c5f57db93/src/LBToken.sol#L227-L247
Vulnerability details
Impact
All mints, transfers and burns of affected LBToken will revert causing user funds to be irretrievable
Proof of Concept
When burning LB, _beforeTokenTransfer is called with address(0) as the from address and _account as the to address, which is reverse of what it should be. _beforeTokenTransfer is overridden in LBPair:
The issue arises from the fact that _cacheFees is now called with _balanceTo + amount instead of _balanceTo - amount.
_newBalance (_balanceTo + amount) is passed into _updateUserDebts
It stores the users debt using the inflated value, which inflates the users debt value for that _id. This is not problematic for the first transaction but it breaks all user interaction with that LBToken afterwards, because the overinflated value causes _beforeTokenTransfer to revert.
The culprit of the revert is LBPair#_getPendingFees. Since the debt value is overinflated the subtraction will revert due to underflow. This causes _mint/_burn/_transfer to revert due to the following chain of calls: _mint/_burn/_transfer -> _beforeTokenTransfer -> _cacheFees -> _getPendingFees. Since all those functions revert it is now basically impossible for the user to interact with any LBTokens of the affected IDs. If the users has any more LB of that ID it will be permanently stuck and unredeemable.
Example:
Assume _bin.accTokenXPerShare is 1 for ID 1. A user mints 100 LB for ID 1. Setting _debts.debtX = 100 * 1 = 100. Now the user burns 10 tokens. Because of the error, _debt.debtX = (100 + 10) * 1 = 110. Now whenever the user tries to interact with the LB (mint, burn, transfer) their value will be calculated as 90 * 1 = 90. When subtracting 90 - 110, it underflows and reverts. Unless accTokenXPerShare becomes greater than 1.22 (110 / 90) _mint/_burn/_transfer will revert.
The greater the number of swaps and the greater the burn amount, the longer this gets locked. Because the bin is only active in a specific price point, it is highly likely the funds will be locked forever.
Tools Used
Manual Review
Recommended Mitigation Steps
Reverse the order of the addresses so it is correct:
The text was updated successfully, but these errors were encountered: