Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cergyk - ValantisModule::initializePosition Unlimited slippage can be incurred on initialization of position #67

Closed
sherlock-admin3 opened this issue Jun 4, 2024 · 8 comments
Closed

cergyk - ValantisModule::initializePosition Unlimited slippage can be incurred on initialization of position #67

sherlock-admin3 opened this issue Jun 4, 2024 · 8 comments
Labels
Escalation Resolved This issue's escalations have been approved/rejected Non-Reward This issue will not receive a payout

Comments

@sherlock-admin3
Copy link
Contributor

sherlock-admin3 commented Jun 4, 2024
edited by WangSecurity
Loading

cergyk

high

ValantisModule::initializePosition Unlimited slippage can be incurred on initialization of position

Summary

Unlimited slippage can be incurred on an executor initializing a position because the slippage protection is disabled (set to 0).

Vulnerability Detail

To set a new module on a vault, an executor has to call ArrakisStandardManager::setModule which withdraws the vault's funds from the pool and transfers to the new module: ArrakisMetaVault.sol#L109.

Then the executor needs to call ValantisModule::initializePosition through the module_.call(payloads_[i]); to deposit the funds into the new pool: ValantisHOTModule.sol#L148.

However, the slippage protection is disabled in the call to HOT::depositLiquidity, allowing unlimited slippage to be incurred to the executor when initializing the position (depositing) in the pool: HOT.sol#L667-L668.

Impact

Loss of funds for the vault/LPs due to slippage.

Scenario

See Excalidraw diagram

  1. Executor wants to set a new module on a vault and calls setModule().
  2. Attacker sees the transaction in the mempool and front-runs it, buying large amount of tokens from the pool.
  3. Executor's transaction gets executed, effectively setting the new module and depositing the liquidity into the pool at an unbalanced price.
  4. Attacker back-runs and makes a profit from their sandwich attack.

Code Snippet

Tool used

Manual Review

Recommendation

Allow the executor to set slippage protections in their call to ValantisModule::initializePosition.
@github-actions github-actions bot closed this as completed Jun 6, 2024
@github-actions github-actions bot added the Excluded Excluded by the judge without consulting the protocol or the senior label Jun 6, 2024
@0xffff11 0xffff11 added Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label and removed Excluded Excluded by the judge without consulting the protocol or the senior labels Jun 8, 2024
@sherlock-admin2 sherlock-admin2 changed the title Merry Yellow Osprey - ValantisModule::initializePosition Unlimited slippage can be incurred on initialization of position cergyk - ValantisModule::initializePosition Unlimited slippage can be incurred on initialization of position Jun 12, 2024
@sherlock-admin2 sherlock-admin2 added Non-Reward This issue will not receive a payout and removed Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Jun 12, 2024
@github-actions github-actions bot changed the title cergyk - ValantisModule::initializePosition Unlimited slippage can be incurred on initialization of position Merry Yellow Osprey - ValantisModule::initializePosition Unlimited slippage can be incurred on initialization of position Jun 13, 2024
@github-actions github-actions bot added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Jun 13, 2024
@sherlock-admin sherlock-admin changed the title Merry Yellow Osprey - ValantisModule::initializePosition Unlimited slippage can be incurred on initialization of position cergyk - ValantisModule::initializePosition Unlimited slippage can be incurred on initialization of position Jun 13, 2024
@WangSecurity WangSecurity removed the Medium A valid Medium severity issue label Jun 13, 2024
@CergyK
Copy link
Collaborator

CergyK commented Jun 13, 2024
edited
Loading

Escalate

This issue should be unduplicated from #80 since context and mitigation are different.

For this issue in particular, even if deviation check is set:

  • Since the whole funds are migrated to the new vault, a small manipulation of the spot price can cause a non-negligible loss for LPs.
  • The behavior of setModule is inconsistent with StandardManager::rebalance which enables executor to set slippage checks. This, even though setModule acts as a rebalance between old and new module

@sherlock-admin3
Copy link
Contributor Author

sherlock-admin3 commented Jun 13, 2024
edited by sherlock-admin4
Loading

Escalate

This issue should be unduplicated from #80 since context and mitigation are different.

For this issue in particular, even if deviation check is set:

  • Since the whole funds are migrated to the new vault, a small manipulation of the spot price can cause a non-negligible loss for LPs.
  • The behavior of setModule is inconsistent with StandardManager::rebalance which enables executor to set slippage checks. This, even though setModule acts as a rebalance between old and new module

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

@sherlock-admin4 sherlock-admin4 added the Escalated This issue contains a pending escalation label Jun 13, 2024
@0xjuaan
Copy link

0xjuaan commented Jun 14, 2024
edited
Loading

If the new module used a different pool to the old module, this would fail since the attacker would not be to front-run and swap in the pool before any liquidity was provided to the new pool via initializePosition()

Hence, the attack requires the same SovereignPool to be used by both modules. If the same SovereignPool is used by both the old and new module, how is there any profit for the attacker?

Attacker buys tokens, moving price from A->2A

Executor calls setModule, withdraws liquidity and deposits back (both actions at price 2A)

Then the attacker sells tokens, moving price from 2A->A

Where is the loss for LP? They deposit and withdraw at the exact same price

@WangSecurity
Copy link
Contributor

@CergyK do you have any counterarguments to the comment above?

@CergyK
Copy link
Collaborator

CergyK commented Jun 18, 2024
edited
Loading

@WangSecurity

@0xjuaan is correct on this, this escalation can be invalidated

@WangSecurity
Copy link
Contributor

WangSecurity commented Jun 18, 2024
edited
Loading

Planning to reject the escalation and leave the issue as it is. But, if it #80 is validated, planning to de-dup this issue, since it's not a duplicate of #80 (but correct me if i'm wrong).

@WangSecurity WangSecurity removed the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Jun 19, 2024
@WangSecurity
Copy link
Contributor

Result:
Invalid
Unique

@sherlock-admin2 sherlock-admin2 removed the Escalated This issue contains a pending escalation label Jun 19, 2024
@sherlock-admin3 sherlock-admin3 added the Escalation Resolved This issue's escalations have been approved/rejected label Jun 19, 2024
@sherlock-admin4
Copy link

Escalations have been resolved successfully!

Escalation status:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Escalation Resolved This issue's escalations have been approved/rejected Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@CergyK @0xjuaan @0xffff11 @WangSecurity @sherlock-admin2 @sherlock-admin3 @sherlock-admin4