You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jun 30, 2024. It is now read-only.
sherlock-admin opened this issue
Dec 24, 2023
· 0 comments
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
Vault token price manipulation by first liquidity minter
Summary
First depositor can mint 1 share in the pool and then donate funds to the vault directly and sync reserves to imbalance token price. As result next depositors won't join the vault.
Vulnerability Detail
When GSP is initialized, then _I_ variable is provided. This is recommended(initial price) of base token in the vault. First depositor will get shares according to that variable.
What attacker needs to do is to be first depositor in the vault. He needs to call buyShares first and mint 1000 shares in the vault. Suppose that we have USDC:USDT pool, so he just passes small amount of usdc and usdt and receives 1000 share in the vault. This is because there is minimum mint limit. Then he can withdraw 999 shares back as there is no restriction on it. So we have 1 share now only.
Then he needs to increase reserves of the pool. The purpose is to make imbalance, which is not same as initial price.
At this moment we have only 1 share in the vault and reserves that doesn't respond to the real token price.
What attacker can achieve by this? For example we have USDC:USDT pool with initial price to be 1.
Suppose attacker made 1 share and reserves 1 usdc and 10 usdt. After such move next depositors can get smaller amount of shares than they have expected. For example someone who wanted to deposit 100 usdc and 100 usdt will get only 10 shares(previously i have said about 1000 shares min mint limit, i skip it now for simplicity) now and attacker can withdraw 10 usdt and 9 usdc(he already made 8 usdc). This is smth like share price manipulation attack.
Another thing that attacker can achieve is dos of the vault. As if people notice that reserves ratio doesn't respond to the initial price, then no one would like to deposit in such vault as once enough funds will be there, then it will be arbitraged and depositors will loose funds.
And last thing that attacker can expect is that someone will decide to normalize pool back by donating 9 usdc to make reserves equal(call sync again) and meet initial price again. This is also win situation for attacker as he earned funds.
Note that the numbers that i have provided here is just example to make it go easier with calculations and the idea.
Impact
Attacker can imbalance reserves in the pool.
Code Snippet
Provided above
Tool used
Manual Review
Recommendation
Don't allow to call sync for everyone, only after flashloan.
The text was updated successfully, but these errors were encountered:
sherlock-admin
changed the title
Modern Citron Ant - Missing Slippage Protection in buyShares and sellShares Functions
Tart Hickory Opossum - Vault token price manipulation by first liquidity minter
Dec 28, 2023
sherlock-admin
changed the title
Tart Hickory Opossum - Vault token price manipulation by first liquidity minter
rvierdiiev - Vault token price manipulation by first liquidity minter
Jan 12, 2024
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
rvierdiiev
medium
Vault token price manipulation by first liquidity minter
Summary
First depositor can mint 1 share in the pool and then donate funds to the vault directly and sync reserves to imbalance token price. As result next depositors won't join the vault.
Vulnerability Detail
When
GSP
is initialized, then_I_
variable is provided. This is recommended(initial price) of base token in the vault. First depositor will get shares according to that variable.What attacker needs to do is to be first depositor in the vault. He needs to call
buyShares
first and mint 1000 shares in the vault. Suppose that we have USDC:USDT pool, so he just passes small amount of usdc and usdt and receives 1000 share in the vault. This is because there is minimum mint limit. Then he can withdraw 999 shares back as there is no restriction on it. So we have 1 share now only.Then he needs to increase reserves of the pool. The purpose is to make imbalance, which is not same as initial price.
So after he donates some amount of funds, then he calls
GSPVault.sync
, which will update reserves.At this moment we have only 1 share in the vault and reserves that doesn't respond to the real token price.
What attacker can achieve by this? For example we have USDC:USDT pool with initial price to be 1.
Suppose attacker made 1 share and reserves 1 usdc and 10 usdt. After such move next depositors can get smaller amount of shares than they have expected. For example someone who wanted to deposit 100 usdc and 100 usdt will get only 10 shares(previously i have said about 1000 shares min mint limit, i skip it now for simplicity) now and attacker can withdraw 10 usdt and 9 usdc(he already made 8 usdc). This is smth like share price manipulation attack.
Another thing that attacker can achieve is dos of the vault. As if people notice that reserves ratio doesn't respond to the initial price, then no one would like to deposit in such vault as once enough funds will be there, then it will be arbitraged and depositors will loose funds.
And last thing that attacker can expect is that someone will decide to normalize pool back by donating 9 usdc to make reserves equal(call
sync
again) and meet initial price again. This is also win situation for attacker as he earned funds.Note that the numbers that i have provided here is just example to make it go easier with calculations and the idea.
Impact
Attacker can imbalance reserves in the pool.
Code Snippet
Provided above
Tool used
Manual Review
Recommendation
Don't allow to call sync for everyone, only after flashloan.
Duplicate of #55
The text was updated successfully, but these errors were encountered: