search

code-423n4 / 2021-11-vader-findings

0 stars 0 forks source link

`leave` function is susceptible to flashloan attack #270

Closed code423n4 closed 2 years ago

code423n4 commented 3 years ago

Handle

hack3r-0m

Vulnerability details

https://github.com/code-423n4/2021-11-vader/blob/main/contracts/x-vader/XVader.sol#L51-L57

One has few _shares already obtained from enter

One can transfer a large amount of Vader (borrowed using flashloan) and send it directly to xVader and then call leave

vaderAmount = (_shares * vader.balanceOf(address(this))) / totalSupply()

will multiplex shares due to large vader.balanceOf(address(this))

_burn(msg.sender, _shares);

will burn the actual amount of shares the user had.

vader.transfer(msg.sender, vaderAmount);

will transfer a large multiplexed amount to the caller.

caller pay back borrowed Vader and keeps the profit.

0xstormtrooper commented 3 years ago

vaderAmount = (_shares * vader.balanceOf(address(this))) / totalSupply()

shares / totalSupply <= 1

When shares < totalSupply, vaderAmount < vader.balanceOf(address(this))

Attacker won't be able to pay back flash loan

alcueca commented 2 years ago

Dispute accepted.