A malicious early user/attacker can manipulate the apxGMX/apxGLP 's pricePerShare to take an unfair share of future users' deposit #81

code423n4 · 2022-11-24T07:45:38Z

Lines of code

https://github.com/code-423n4/2022-11-redactedcartel/blob/03b71a8d395c02324cb9fdaf92401357da5b19d1/src/vaults/AutoPxGmx.sol#L370-L403

Vulnerability details

Impact

A well known attack vector for almost all shares based liquidity pool contracts, where an early user can manipulate the price per share and profit from late users' deposits because of the precision loss caused by the rather large value of price per share.

A malicious early user can deposit() with 1 wei of pxGMX as the first depositor of the apxGMX, and get 1 wei of shares.

Then the attacker can send 10000e18 - 1 of pxGMX and inflate the price per share from 1.0000 to an extreme value of 1.0000e22 ( from (1 + 10000e18 - 1) / 1) .

As a result, the future user who deposits 19999e18 will only receive 1 wei (from 19999e18 * 1 / 10000e18) of shares token.

They will immediately lose 9999e18 or half of their deposits if they redeem() right after the deposit().

Proof of Concept

https://github.com/code-423n4/2022-11-redactedcartel/blob/03b71a8d395c02324cb9fdaf92401357da5b19d1/src/vaults/PirexERC4626.sol#L60-L78
https://github.com/code-423n4/2022-11-redactedcartel/blob/03b71a8d395c02324cb9fdaf92401357da5b19d1/src/vaults/AutoPxGmx.sol#L164-L166
https://github.com/code-423n4/2022-11-redactedcartel/blob/03b71a8d395c02324cb9fdaf92401357da5b19d1/src/vaults/AutoPxGmx.sol#L339-L362
https://github.com/code-423n4/2022-11-redactedcartel/blob/03b71a8d395c02324cb9fdaf92401357da5b19d1/src/vaults/PirexERC4626.sol#L167-L176

Tools Used

None

Recommended Mitigation Steps

Consider requiring a minimal amount of share tokens to be minted for the first minter, and send a part of the initial mints as a reserve to the DAO so that the pricePerShare can be more resistant to manipulation.

c4-judge · 2022-12-04T13:18:19Z

Picodes marked the issue as duplicate of #407

c4-judge · 2023-01-01T11:10:04Z

Picodes marked the issue as satisfactory

c4-judge · 2023-01-01T11:36:31Z

Picodes changed the severity to 3 (High Risk)

C4-Staff · 2023-01-10T21:54:30Z

JeeberC4 marked the issue as duplicate of #275

code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Nov 24, 2022

code423n4 added a commit that referenced this issue Nov 24, 2022

cccz issue #81

0a9318e

c4-judge closed this as completed Dec 4, 2022

c4-judge added the duplicate-407 label Dec 4, 2022

C4-Staff added duplicate-275 and removed duplicate-407 labels Jan 10, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

A malicious early user/attacker can manipulate the apxGMX/apxGLP 's pricePerShare to take an unfair share of future users' deposit #81

A malicious early user/attacker can manipulate the apxGMX/apxGLP 's pricePerShare to take an unfair share of future users' deposit #81

code423n4 commented Nov 24, 2022

c4-judge commented Dec 4, 2022

c4-judge commented Jan 1, 2023

c4-judge commented Jan 1, 2023

C4-Staff commented Jan 10, 2023

A malicious early user/attacker can manipulate the apxGMX/apxGLP 's pricePerShare to take an unfair share of future users' deposit #81

A malicious early user/attacker can manipulate the apxGMX/apxGLP 's pricePerShare to take an unfair share of future users' deposit #81

Comments

code423n4 commented Nov 24, 2022

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

c4-judge commented Dec 4, 2022

c4-judge commented Jan 1, 2023

c4-judge commented Jan 1, 2023

C4-Staff commented Jan 10, 2023