Pair.sol contract is susceptible to having its pricing curve (x*y = k) manipulated through a 3rd party contract calling selfdestruct() and forwarding ether. #506
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-383
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Lines of code
https://github.com/code-423n4/2022-12-caviar/blob/0212f9dc3b6a418803dbfacda0e340e059b8aae2/src/Pair.sol#L479
Vulnerability details
Impact
If a pair is denominated in ether, a third party contract can forward ether to the contract using the selfdestruct function passing the pair's address. The impact of this is that the pair will allow its market making curve to be manipulated. Among other possibilities, this could allow the price of the fractional tokens/nft's to be artificially inflated.
Proof of Concept
The following is a common example of a contract that could forward ether to the Pair causing the contract to break its liquidity ratio:
Tools Used
For this audit, the tools used were slither, VS Code, and the remix ide.
Recommended Mitigation Steps
To avoid this potential price manipulation of the Pair contract, it is recommended to do the following:
Declare a state variable that will track the updated balance of the contract when a payable function receives a 'msg.value'.
Replace the reference to 'address(this).balance' on line 479 of the Pair.sol contract with a reference to this state variable.
The text was updated successfully, but these errors were encountered: