gpersoon
commented
2 years ago Seems the same as #2
Open code423n4 opened 2 years ago
gpersoon
commented
2 years ago Seems the same as #2
GalloDaSballo
commented
2 years ago Agree on the finding This finding claims that adding liquidity on Curve while treating each token to have the same weight is a surefire way to get less tokens than expected
While #2 addresses a similar (IMO higher risk) vulnerability
This finding shows how the vault can have a loss of value through how it deals with token accounting
To me this is a unique finding, however am downgrading it to medium
Handle
tensors
Vulnerability details
Impact
Because the call in _addLiquidity forwards the entire balances of the 3 stablecoins without checking the ratio between the 3, less liquidity is minted than what should be wanted. Furthermore, an attacker can abuse this arbitrage the forwarded balances if the discrepancy is large enough.
For example, suppose the contract holds $10K each of usdc, usdt, dai. An attacker deposits $100K worth of DAI and get credited with $100K worth of shares in the protocol. Liquidity is added, but since the ratio is now skewed 11:1:1, a lot less liquidity is minted by the stableswap algorithm to the protocol. The attacker can now arbitrage the curve pool for an additional profit.
There doesn't even need to be an attacker, just an unbalanced amount of user deposits will also lead to lower liquidity minted.
Proof of Concept
https://github.com/code-423n4/2021-09-yaxis/blob/cf7d9448e70b5c1163a1773adb4709d9d6ad6c99/contracts/v3/strategies/NativeStrategyCurve3Crv.sol#L73
Recommended Mitigation Steps
Adding liquidity should probably be manged more manually, it should be added in equal proportion to the curve pool balances, not the contract balances.