When admin sets fee parameters on a pair, it is guaranteed to corrupt the critical static fee parameters. #425
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-384
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-10-traderjoe/blob/79f25d48b907f9d0379dd803fc2abc9c5f57db93/src/LBPair.sol#L915
Vulnerability details
Description
Factory owner can configure fee parameters of any pair using setFeesParametersOnPair(). The actual change in pair storage happens in _setFeeParameters:
The _feeParameters structure looks like so:
It's important to understand that the first 144 bytes, up to volatilityAccumulated, are the static variables, whilte the last 112 bytes are dynamic (updated on swaps). The fee update attempts to merge the existing dynamic members with the new static fields.
The massive issue is that the decoded _varParameters are not shifted back left 112 bytes before the or() merge operation. As a result, the variable parameters override the first 112 bytes of the static fee parameters.
This has dire consequences because binStep which is capped at 100 can now be UINT16_MAX, as can be baseFactor that is capped at 5000. getBaseFee() calculates the base fee:
The new base fee can be up to
UINT16_MAX * UINT16_MAX * 1e10 = 4e19. The fee denominator is 1e18.
This means the system can take up to 100% of the amount as fees. This is actually quite likely as the lower 8 bits of volatilityReference will corrupt the upper 8 bits of base factor.
Impact
When admin sets fee parameters on a pair, it is guaranteed to corrupt the critical static fee parameters.
Proof of Concept
I've taken the testSetFeesParametersOnPair() which normally passes, added a single swap before it, and now it fails.
Add this test in LBPair.Fees.t.sol:
Tools Used
Manual audit
Recommended Mitigation Steps
The dynamic parameters need to be shifted left before the or() operation.
Also, consider adding more stateful operations in tests so that issues like this can be detected quickly.
The text was updated successfully, but these errors were encountered: