-
Notifications
You must be signed in to change notification settings - Fork 5
shealtielanz - Unlimited slippage during emergencyExit()
#120
Comments
Invalid, reason to use zero min amounts (no slippage) is clearly stated in the above comments here, that is no trade will occur during a proportional exit in the first place. |
emergencyExit()
emergencyExit()
Escalate Hello @nevillehuang
Here is the point of #87 where the Watson stated that
Though the Watson point is based on setting as true instead of false, will make it not proportional. we both stated the same issue that The trade performed isn’t proportional
Same with the Impact I stated in my issue that
Though his report is better detailed than mine the two issues have stated that:
His mitigation solve the issue from the root of the matter, so that the trade will be a proportional trade that won’t allow for slippage and front running attacks. With the following points I have give above, I kindly say that this issue(#120) is a correct duplicate of #87. Thank you so much for your time, I really appreciate it |
You've created a valid escalation! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
Imo, this submission should be low severity based on the following sherlock rule, as the root cause and attack path is not sufficiently described and extremely vague with lack of details.
Additionally, as far as I see it, the zero amount for slippage is not the issue here, but instead is due to this mentioned by @xiaoming9090:
|
My report showed the attack path as the way to exploit this issue is front running/sandwich attacks allowing for the exit trade to be prone to massive slippage the devs assumed that it is proportional though it is single sided by setting to true however the underlying issues is that the min amounts out for the trade are set to default(zero) which allow the trade to settle at a large slippage.
This issue is clearly a duplicate of you get to understand the underlying issue submitted by the Watson in #87 |
I am still not convinced, since the original submission is really very vague. But will call in @jeffywu @xiaoming9090 for further review and insights. |
The devs assumed the trade would not be prone front running or sandwich attach because the thought the trade performed would be proportional so the set the min amounts out to zero, now since the trades aren’t proportional the allow for slippage as the min amounts out are to zero. |
you can see here File: SingleSidedLPVaultBase.sol
486: // By setting min amounts to zero, we will accept whatever tokens come from the pool
487: // in a proportional exit. Front running will not have an effect since no trading will
488: // occur during a proportional exit.
489: _unstakeAndExitPool(claimToExit, new uint256[](NUM_TOKENS()), true);
// By setting min amounts to zero, we will accept whatever tokens come from the pool
487: // in a proportional exit. Front running will not have an effect since no trading will
488: // occur during a proportional exit. where the min amounts out( |
I believe boolean being set to In a realistic scenario, if the pool is moving rapidly during an emergency exit it is practically very difficult to set slippage limits. The idea here is to ensure that the vault is able to rapidly exit whatever funds it can. A sandwich trade would not be profitable if the boolean flag is set to false. |
From the submission:
This is not explained at all. Why is that? From the wording it seems some would be and others wouldn't, which is not the case in the code quoted by the submission. The mitigation proposed in this report shows the lack of understanding of the issue: it's not the lack of slippage control that is lacking, but it is a wrongly set argument. Even though the same exploit is possible, it shows a lack of understanding of the Watson. The Watson even failed to justify why are the withdrawals not proportional despite a comment right above the line of code mentioned. Quoting it can invalidate all parts of noted "properties" described in the issue, hence the Watson did not provide sufficient explanation of the bug per rule mentioned by @nevillehuang. Hence, I am planning to reject the escalation and leave the issue as is. |
The mitigation I proposed might not be the best mitigation, but it is common mitigation against this kind of issues
I wrote this report on my phone about 2 mins before the contest ended, it was meaning to saying the trades are not at all proportional due to issues with language, time, my keyboard auto-correct. (but it still means the same thing as the context is still in place).
My report complies to the Sherlock guideline
I strongly believe that this issue is a valid duplicate of #87. |
Also another thing to note is the sponsors comment here
My report states this as the concern |
Agree with @Czar102, and is also along the thoughts of why I invalidated this issue in the first place. |
I understand your reasoning for disregarding this in the first place however, with the comments I and the sponsor presented above I don’t see why this escalation should not be accepted. |
Hey @shealtielanz, I don't think you managed to bring up any new points in your response.
Everyone has the same amount of time and it's within the rules of the contest. The fact that you didn't manage to describe this issue properly means that you didn't create a valid submission per contest rules.
You have mentioned the attack path, but the report is extremely vague, which is supported by the above mentioned points. This is why I am planning keep it invalid. Let this be a lesson for the future to focus on the codebase earlier to submit high-effort submissions to be rewarded for them. The Lead Judge made a good call by not including it as a duplicate. |
Result: |
Escalations have been resolved successfully! Escalation status:
|
Une autre leçon apprise |
shealtielanz
medium
Unlimited slippage during
emergencyExit()
Summary
In the emergencyExit() of singleSidedLPvault, the min amount out is set to complete zero, based on the assumption of proportional trades do not allow frontrunning however not all trades in pools will be proportional allowing for an unlimited slippage during emergency exits.
Impact
This will lead to emergency exits returning up to zero amount out when unstaking and exiting a pool, leading to complete loss of funds during emergency exits
Code Snippet
Tool used
Manual Review
Recommendation
Allow for a min amount when ever calling emergency exit
The text was updated successfully, but these errors were encountered: