LP token price manipulation by first depositor #113
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-442
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-12-caviar/blob/main/src/Pair.sol#L417-L428
https://github.com/code-423n4/2022-12-caviar/blob/main/src/Pair.sol#L63-L99
Vulnerability details
Impact
LP token price manipulation by first depositor. He can make price of 1 share to be very big and benefit on rounding when next depositor add liquidity.
Proof of Concept
When user add liquidity to the pool then
addQuote
function is called to calculate amount of LP tokens that will be minted for user.https://github.com/code-423n4/2022-12-caviar/blob/main/src/Pair.sol#L417-L428
In case if there is no liquidity yet then
Math.sqrt(baseTokenAmount * fractionalTokenAmount)
is used to calculate amount of shares.Attacker first can wrap token to get fractional tokens. Then attacker deposits 1 base token and 1 fractional token and get minted 1 LP token.
After that he can send huge amount of base tokens to the Pool directly. He even don't need to send fractional tokens, because
addQuote
will return min amount from baseTokenShare and fractionalTokenShare, so it's enough to increase reserves of only 1 token and it's easier to do with base token.As result we will have only 1 LP token and huge reserves of base and fractional tokens.
When next depositors will be providing liquidity that means that they should provide big amount of base token to get a share. Also because of rounding in calculations, all amount that is
(nextDepositorAmount * lpSharesAmount) % baseTokenReserves
will be distributed among depositors and first depositor will benefit from that.As result next depositors will be loosing part of funds and attacker will be earning more funds.
Tools Used
VsCode
Recommended Mitigation Steps
Do not allow first depositor to mint small amount of LP tokens.
The text was updated successfully, but these errors were encountered: