Open code423n4 opened 3 years ago
Slip-based pools cannot be attacked with flash loans.
Further comment from @cmichelio:
I can curate my custom token using curatePool without using a flashloan or using replacePool by temporarily providing liquidity to the pool without trading in it and getting slip-fee'd. I'm not trading in the pool, and don't think providing/removing liquidity comes with a fee. I think this is still an issue.
Handle
@cmichelio
Vulnerability details
Vulnerability Details
The
Router.curatePool
andreplacePool
don't have any access restriction. An attacker can get a flash loan of base tokens and replace existing curated pools with their own curated pools.Impact
Curated pools determine if a pool receives rewards. An attacker can remove rewards of a curated pool this way and add rewards to their own pool with a custom token they control. They can then go ahead and game the reward system by repeatedly swapping in their custom pool with useless tokens withdraw liquidity in the end and pay back the base flashloan.
Recommended Mitigation Steps
Prevent replacing curations through flash loans. Consider making pool curations DAO-exclusive actions.