Open code423n4 opened 3 years ago
This is the intended design of the Thorchain CLP model. Can the warden provide a tangible attack vector in the form of a test?
Sponsor is acknowledging the issue.
@alcueca We do not acknowledge the issue. This is the intended design of the CLP model and the amount supplied for a trade is meant to be safeguarded off-chain. It is an inherent trait of the model.
Handle
WatchPug
Vulnerability details
The current design/implementation of Vader pool allows users to
addLiquidity
using arbitrary amounts instead of a fixed ratio of amounts in comparison to Uni v2.We believe this design is flawed and it essentially allows anyone to manipulate the price of the pool easily and create an arbitrage opportunity at the cost of all other liquidity providers.
An attacker can exploit this by adding liquidity in extreme amounts and drain the funds from the pool.
https://github.com/code-423n4/2021-11-vader/blob/429970427b4dc65e37808d7116b9de27e395ce0c/contracts/dex-v2/pool/VaderPoolV2.sol#L284-L335
PoC
Given:
100,000 USDV
and1 BTC
;totalPoolUnits
is100
.The attacker can do the following in one transaction:
100,000 USDV
and 0 BTC, get50 liquidityUnits
, representing 1/3 shares of the pool;0.1 BTC
to USDV, repeat for 5 times; spent0.5 BTC
and got62163.36 USDV
;45945.54 USDV
and0.5 BTC
; profit for: 62163.36 + 45945.54 - 100000 = 8108.9 USDV.