search

code-423n4 / 2021-07-spartan-findings

0 stars 0 forks source link

Vote weight can be manipulated #176

Open code423n4 opened 3 years ago

code423n4 commented 3 years ago

Handle

cmichel

Vulnerability details

The vote weight is determined by the DAOVault and BondVault weight (voteWeight = _DAOVAULT.getMemberWeight(msg.sender) + _BONDVAULT.getMemberWeight(msg.sender)). The weight in these vaults is the deposited LP token. The BondVault however pays for the BASE part itself (see DAO.handleTransferIn), therefore one only needs to deposit tokens and the DAO matches the swap value.

Therefore, it's possible to manipulate the pool, deposit only a small amount of tokens (receiving a large amount of matching BASE by the DAO) and receive a large amount of LP tokens this way. attack can be profitable:

  1. Manipulate the pool spot price by dripping a lot of BASE into it repeatedly (sending lots of smaller trades is less costly due to the path-independence of the continuous liquidity model). This increases the BASE per token price.
  2. Repeatedly call DAO.bond(amount) to drip tokens into the DAO and get matched with BASE tokens to provide liquidity. (Again, sending lots of smaller trades is less costly.) As the LP minting is relative to the manipulated low token reserve, a lot of LP units are minted for a low amount of tokens, leading to receiving large weight.
  3. Create a proposal to send the entire reserve balance to yourself by using grantFunds
  4. Unmanipulate the pool by sending back the tokens from 1. This might incur a loss.

The cost of the attack is the swap fees from the manipulation of 1. and 4. plus the (small due to manipulation) amount of tokens required to send in 2. The profit can be the entire reserve amount which is unrelated to the pools (plus reclaiming lots of LP units over the span of the BondVault era). The attack can be profitable under certain circumstances of:

Recommended Mitigation Steps

I don't think the attack would be feasible if we couldn't get the DAO to commit the lion's share of the BASE required to acquire LP units through the BondVault incentives.

verifyfirst commented 3 years ago

Warden must understand the bond program is extremely limited in time and amount of sparta allocated through the DAO. If the attacker was able to obtain the entire bond allocation and weight is in sparta terms, the opportunity to attack would scale along with the pool depth and therefor total weight scales up along with the bond. Grant funds will be capped at a % of the reserve.

ghoul-sol commented 3 years ago

Per sponsor comment, making this low risk