New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CurveVolatileCollateral._underlyingRefPerTok() Possible manipulation #14
Comments
thereksfour marked the issue as primary issue |
We have considered this very issue before and have decided as a solution to avoid raw ETH and ERC777's entirely, and not try to detect reentrancy in the way described in the article. This is for a few reasons:
Also related: Our target unit system does not work well with volatile pools. Each pool would need its own target unit and therefore could not be backed up with any other collateral except identically/distributed pools. We plan to remove |
There is documentation on the website indicating to avoid ERC777 tokens, but this should probably be updated to include forbidding LP tokens that contain raw ETH. Though, it is a bit more complicated than that since some LP tokens offer withdrawal functions that automate the unwrapping of WETH into ETH. https://reserve.org/protocol/rtokens/#non-compatible-erc20-assets |
pmckelvy1 marked the issue as sponsor confirmed |
thereksfour marked the issue as satisfactory |
thereksfour marked the issue as selected for report |
Dup of https://github.com/code-423n4/2023-07-reserve-findings/blob/main/data/ronnyx2017-Q.md#7-curve-read-only-reentrancy-can-increase-the-price-of-some-curvestablecollateral . In fact The price manipulated mentioned in the #14 is Curve Read-Only Reentrancy attack. And I explained this attack in more detail in my QA report. |
thereksfour marked the issue as not selected for report |
thereksfour marked the issue as duplicate of #45 |
Lines of code
https://github.com/reserve-protocol/protocol/blob/9ee60f142f9f5c1fe8bc50eef915cf33124a534f/contracts/plugins/assets/curve/CurveStableCollateral.sol#L146
Vulnerability details
Impact
curvePool.get_virtual_price()
May be manipulated to cause malicious entryDISABLED
Proof of Concept
CurveVolatileCollateral._underlyingRefPerTok()
returncurvePool.get_virtual_price()
If
curvePool
containsETH
, it can be manipulated by the price.For more information:
https://chainsecurity.com/curve-lp-oracle-manipulation-post-mortem/
_underlyingRefPerTok()
Being manipulated could lead to entryDISABLED
Tools Used
Recommended Mitigation Steps
Check for reentrancy as described in the article.
The text was updated successfully, but these errors were encountered: