Skip to content

Share price manipulation attack #22

New issue
New issue
Closed
Closed
Share price manipulation attack#22
Labels
3 (High Risk)Assets can be stolen/lost/compromised directly🤖_22_groupAI based duplicate group recommendationbugSomething isn't workingduplicate-39satisfactorysatisfies C4 submission criteria; eligible for awards
@c4-bot-8

Description

@c4-bot-8
c4-bot-8
opened on May 29, 2024

Lines of code

https://github.com/code-423n4/2024-05-bakerfi/blob/main/contracts/core/Vault.sol#L225

Vulnerability details

Proof of Concept

In this variant of share price manipulation attack, an attacker will need to deploy a small amount of assets, like 1 wei, just to mint 1 wei of shares and then donate aave collateral tokens directly to the contract, to increase share price to make its price to be e18 for example.

Then all next depositors may lose some value to the attacker and this value depends on the amount they deposited. There is no 0 shares check, which means that depositor can receive nothing at all after deposit.

Impact

User lose deposited assets.

Tools Used

VsCode

Recommended Mitigation Steps

Make sure first depositor mints big amount of shares.

Assessed type

Error

Metadata

Metadata

Assignees

No one assigned

    Labels

    3 (High Risk)Assets can be stolen/lost/compromised directly🤖_22_groupAI based duplicate group recommendationbugSomething isn't workingduplicate-39satisfactorysatisfies C4 submission criteria; eligible for awards

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions