Deploying vaults without seeding liquidity can lead to share price manipulation attacks. #379
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-209
satisfactory
satisfies C4 submission criteria; eligible for awards
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
Lines of code
https://github.com/code-423n4/2022-12-gogopool/blob/main/contracts/contract/tokens/TokenggAVAX.sol#L24
Vulnerability details
The share price always return 1:1 with asset token. If everything work normally, share price will slowly increase with time to 1:2 or 1:10 as more rewards coming in.
But right after TokenggAVAX contract creation, during first cycle, any user can deposit 1 share set
totalSupply = 1
. And transfer token to vault to inflatetotalAssets()
before rewards kick in. (Basically, pretend rewards themselves before anyone can deposit in to get much better share price.)This can inflate base share price as high as 1:1e18 early on, which force all subsequence deposit to use this share price as base.
Impact
The share price can be manipulated and due to rounding precision other users will recieve less (or zero) shares when they deposit asset.
POC
Recommendations
More about the similar issue here: https://rokinot.github.io/hatsfinance
The text was updated successfully, but these errors were encountered: