New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bypass the maximum PnL check to take extra profit #111
Comments
Coded POC -> Obvious primary |
GalloDaSballo marked the issue as primary issue |
It is valid but I think it should be med risk as it needs +500% win to happen so assets are not in a direct risk, need a judge opinion on this. |
TriHaz requested judge review |
TriHaz marked the issue as sponsor confirmed |
TriHaz marked the issue as disagree with severity |
As the max leverages are 100x for crypto pairs and 500x for forex pairs, so 5% price change on crypto pairs or 1% on forex pairs lead to 500% profit. I think it would be frequent to see +500% win happening. In my personal opinion, the |
The Warden has shown how, because of a lack of checks, an attacker could bypass the PNL cap and extract more value than intended. While the condition of having a price movement of 500% can be viewed as external, I believe that in this specific case we have to exercise more nuance. An attacker could setup a contract to perform the sidestep only when favourable, meaning that while the condition may not always be met, due to volatility of pricing there always is a % (can be viewed as a poisson distribution) that a PNL bypass would favour the attacker. Additionally, after the CRV / AVI attack we have pretty strong evidence that any +EV scenario can be exploited as long as the payout is high enough. As such I believe that the finding doesn't truly rely on an external condition. For this reason, as well as knowing that the value extracted will be paid by LPs / the Protocol, I believe High Severity to be the most appropriate |
GalloDaSballo marked the issue as selected for report |
Mitigation: code-423n4/2022-12-tigris#2 (comment) |
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/Trading.sol#L267-L269
Vulnerability details
Impact
To protect the fund of vault, the protocol has a security mechanism which limits
source: https://docs.tigris.trade/protocol/trading-and-fees#limitations
But the implementation is missing to check this limitation while
addToPosition()
, an attacker can exploit it to get more profit than expected.Proof of Concept
The following test case shows both normal case and the exploit scenario.
In the normal case, a 990 USD margin, get back a 500% of 4950 USD payout, and the profit is 3960 USD.
In the exploit case, the attack will get an extra 2600+ USD profit than the normal case.
The test result
Tools Used
VS Code
Recommended Mitigation Steps
Add a check for
addToPosition()
function, revert if PnL >= 500%, enforce users to close the order to take a limited profit.The text was updated successfully, but these errors were encountered: