This repository has been archived by the owner on Mar 3, 2024. It is now read-only.
xiaoming90 - Gain From LMPVault Can Be Stolen #620
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
High
A valid High severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
xiaoming90
high
Gain From LMPVault Can Be Stolen
Summary
An attacker can steal the gain of the LMPVault.
Vulnerability Detail
Assume the following:
LiquidatorRow.claimsVaultRewards
function against all three DVs, and carried out the necessary liquidation of the reward tokens received from Covex, Aura, and Maverick. After the liquidation, 10 WETH of rewards is queued to each of the DV's MainRewarder contracts.LMPVault.updateDebtReporting
function is triggered against the three DVs,For simplicity's sake, assume that there are 100 shares and the total assets are 100 ETH. Thus, the NAV per share is 1.0. If the
LMPVault.updateDebtReporting
function is triggered, the total assets will become 130 ETH (100 ETH + 30 ETH), and the NAV per share will increase to 1.3.If Alice owned all the 100 shares in the$LV$ where she invested 100 ETH when the vault first accepted deposits from the public, she should gain a profit of 30 ETH.
However, malicious users could perform the following actions within a single transaction to steal most of the gains from Alice (also other users). Protocol fees collected from gain are ignored for simplicity's sake.
LMPVault.updateDebtReporting
function, and theImpact
Loss of assets for the users as their gain can be stolen.
Code Snippet
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVault.sol#L37
Tool used
Manual Review
Recommendation
Following are the list of root causes of the issue and some recommendation to mitigate them.
updateDebtReporting
function is permissionless and can be called by anyone. It is recommended to implement access control to ensure that this function can only be triggered by Tokemak team. Do note that even if the attacker cannot trigger theupdateDebtReporting
function, it is still possible for the attacker to front-run and back-end theupdateDebtReporting
transaction to carry out the attack if they see this transaction in the public mempool. Thus, consider sending theupdateDebtReporting
transaction as a private transaction via Flashbot so that the attacker cannot sandwich the transaction.updateDebtReporting
function is triggered and exit the vault afterward and reap most of the gains. Consider implementing snapshotting within the vault.The text was updated successfully, but these errors were encountered: