maxsam4
commented
3 years ago Stableswap needs to use toAmount balances rather shares to work. This issue allows skimming yield profits from the pool. There's no user funds at risk but still an issue.
We plan on resolving this by using a fixed toElastic ratio during the whole swap.
Handle
broccoli
Vulnerability details
Impact
An attacker can call the
bento.harvestfunction during the callback function of a flash swap of theHybridPoolto reduce the number of input tokens that he has to pay to the pool, as long as there is any unrealized profit in the strategy contract of the underlying asset.Proof of Concept
HybridPoolaccounts for the reserve and balance of the pool using thebento.toAmountfunction, which represents the actual amount of assets that the pool owns instead of the relative share. The value oftoAmountcould increase or decrease if thebento.harvestfunction is called (by anyone), depending on whether the strategy contract earns or loses money.Bentohas a profit not accounted for yet. To account for the profit, anyone could callharvestonBentowith the corresponding parameters, which, as a result, increases theelasticof the DAI token.flashSwapto initiate a flash swap from WETH to DAI. First, the pool transfers the corresponding amount of DAI to him, calls thetridentSwapCallbackfunction on the attacker's contract, and expects that enough DAI is received at the end.tridentSwapCallbackfunction, the attacker callsbento.harvestto realize the profit of DAI. As a result, the pool'sbento.toAmountincreases, and the amount of DAI that the attacker has to pay to the pool is decreased. The attacker could get the same amount of ETH but paying less DAI by exploiting this bug.Referenced code: HybridPool.sol#L218-L220 HybridPool.sol#L249-L250 HybridPool.sol#L272-L285 BentoBoxV1Flat.sol#L1105 BentoBoxV1Flat.sol#L786-L792 BentoBoxV1Flat.sol#L264-L277
Recommended Mitigation Steps
Consider not using
bento.toAmountto track the reservers and balances, but usebalanceOfinstead (as done in the other two pools).