-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possible to drain Vault LPs due to unbounded weight differences #41
Comments
While weights aren't emitted on vault creation (because not all vaults might have weights). As such, we can't emit the values on creation. Instead they have to be read. We are aware of the danger of weights, see this report from Veridise: ![]() https://github.com/catalystdao/catalyst/blob/main/evm/audit/VAR_Catalyst-v1.pdf, page 19. When users deposit into vaults, it must be assumed that they know exactly what the profile of the vault is (or was relativly close to before they created their transaction). Thus the weights are assumed to be part of that. You should also be aware that the weights directly impact the cost of the vaults AND at high weights the vault might even begin to malfunction. Generally we advise users to keep the weights low-ish. (Around 10**6) but they can be set even lower to "opt-out" of governance weight changes. Catalyst-Exchange-0x3026c1ea29bf1280f99b41934b2cb65d053c9db4/evm/src/CatalystVaultVolatile.sol Lines 136 to 142 in fba322f
Likewise, the governance is only able to adjust weight changes with a small-ish window: Catalyst-Exchange-0x3026c1ea29bf1280f99b41934b2cb65d053c9db4/evm/src/CatalystVaultVolatile.sol Line 165 in fba322f
|
To be specific the Veridise report deals with a
I understand, but it's dangerous to delegate this responsibility fully to users. Realistically not every user (if not the majority of users) is going to fully validate the vault, or in this particular case the |
That is why these things are done via a UI rather than directly on the contract. Realistically, how many are going to setup the vaults correctly if they don't have access to a UI? |
Github username: @0xfuje
Twitter username: 0xfuje
Submission hash (on-chain): 0x5080e114a5766d73acf6fcc4a43ef0d8f1efff65669819a66efef50f41d4aff3
Severity: high
Description:
Impact
Total loss of LP deposited funds of the vulnerable Vault
Description
The root of the problem is the unbounded nature of token
weights
ofCatalystVaults
, which can be set to any value without restriction. A disproportionately large weight difference can be used to drain the vault.Vault
from the whitelisted templates withUSDC
,USDT
andWETH
with a normal distribution ($1000 USDC + $1000 USDT + 1 WETH), but sets the weight ofWETH
absurdly highUSDC
, $10000USDT
and 10 WETHWETH
toUSDC
&USDT
immediately draining the LP's funds from theVault
and profiting $20000 from the LP'sUSDC
&USDT
fundsProof of Concept
test/ExampleTest.t.sol
forge test --match-test --via-ir test_localswap_exploit_unbalance -vvvv
Recommendation
Consider to bound token weight to be between a reasonable value (taking into account the token decimals), as this would minimize potential damage (e.g. can't exceed 100x or 10x difference). Consider to add
weights
as an event param toVaultDeployed()
. This issue seems hard to completely mitigate, some kind of additional restriction could be used onlocalSwap()
and LP functions to prevent highly unfavorable conversations due to weight differences.The text was updated successfully, but these errors were encountered: