-
Notifications
You must be signed in to change notification settings - Fork 6
lil.eth - costToHeal() in InfiltrationPeriphery.sol allow easy sandwich and user paying more than healing cost #89
Comments
|
Could you expand more about this? I am not exactly sure how a view/callStatic RPC call exactly prevents price manipulation within a pool when slippage is not present. |
We provide the |
Wanted to bring up this interesting point by LSW. See #30 and #53 for more detailed explanation. However, the impact seems to only be limited to excess ETH, which logically speaking for a user performing a heal should not be significant because they shouldn't swap with excessive amounts in the first place.
|
Our frontend might add a tiny bit of buffer to make sure it goes through but even if we do that it is going to be a very tight percentage. |
Front-end solutions are not considered in Sherlock rules for determining issue validity, though I can see your view with the protocol being a game that users will primarily be interacting with the protocol on the front-end where the cost of healing will be predetermined. This statement here in #53 convince me that this could be a medium. Any thoughts? @0xhiroshi
|
That is if the user manually changes the ETH value being sent to the contract, if we follow the recommendation in issue 53, it can also be said that the user can manually change Indeed normal users aren't going to know how to change a function call parameter (while it is easier to change the ETH value) if it is a transaction through Metamask or some web wallets. But what if the user is in so much haste that he decides to go to Etherscan instead of our UI to submit the transaction? There he can set the price limit to whatever he likes. Also, from the smart contract's point of view, is a client side provided |
Agree with sponsor. Additionally, impact is only limited to excess swaps so assigning as low severity. |
lil.eth
medium
costToHeal() in InfiltrationPeriphery.sol allow easy sandwich and user paying more than healing cost
Summary
In InfitrationPeriphery.sol any user can calculate how much he must sent eth to heal it's agents, allowing him tu use ETH instead of Looks.
To do this the easiest way and recommended way seems to be using
InfiltrationPeriphery.sol#costToHeal()
that returns the amount of ETH needed to heal some NFT agents.However
costToHealInLOOKS
is first calculated by making a call toQuoterV2
. This simulates the transaction directly on the target pool. This is the fundamental problem with this design. If the pool is sandwich attacked then the expected out will also fall.Amount returned will be false and then when user will submit the false amount of ETH to effectively heal it's agent he will open door for another sandwich attack where surplus amount will be stolen.
Vulnerability Detail
Example: Assume Alice wants to heal its 10 agents using ETH :
There is no slippage added as only
costToHealInLooks
is added (if (sqrtPriceLimitX96 == 0) require(amountOutReceived == amountOut);
).This means there is no highest price Alice should get :
0,115 ETH * 5 = 1.15
as msg.value in InfiltrationPeriphery.sol#heal() and she gets sandwiched as again onlyamountOut
is needed for this transactionsqrtPriceLimitX96: 0 //E if (sqrtPriceLimitX96 == 0) require(amountOutReceived == amountOut);
Here is the related code :
Impact
Code Snippet
Tool used
Manual Review
Recommendation
Allow users to specify an min/max sqrtPriceLimitX96. If the pool ever goes above/below that value then revert the call
The text was updated successfully, but these errors were encountered: