This loss is calculated by the current reserves of the pool so if an LP can manipulate the pool's reserves they can artificially engineer a huge amount of IL in order to qualify for a payout up to the size of their LP position.
Be an LP for a reasonable period of time (IL protection scales linearly up to 100% after a year)
Flashloan a huge amount of one of the pool's assets.
Trade against the pool with the flashloaned funds to unbalance it such that your LP position has huge IL.
Remove your liquidity and receive compensation from the reserve for the IL you have engineered.
Re-add your liquidity back to the pool.
Trade against the pool to bring it back into balance.
The attacker now holds the majority of their flashloaned funds (minus slippage/swap fees) along with a large fraction of the value of their LP position in VADER paid out from the reserve. The value of their LP position is unchanged. Given a large enough LP position, the IL protection funds extracted from the reserve will exceed the funds lost to swap fees and the attacker will be able to repay their flashloan with a profit.
This is a high risk issue as after a year any large LP is incentivised and able to perform this attack.
Recommended Mitigation Steps
Use a manipulation resistant oracle for the relative prices of the pool's assets (TWAP, etc.)
This mechanism has been implemented as described by the Thorchain model. Can the warden submit details as to how it is meant to be exploited, i.e. a test case?
Handle
TomFrench
Vulnerability details
Impact
Impermanent loss protection can be exploited to drain the reserve.
Proof of Concept
In
VaderPoolV2.burn
we calculate the current losses that the LP has made to impermanent loss.https://github.com/code-423n4/2021-11-vader/blob/3a43059e33d549f03b021d6b417b7eeba66cf62e/contracts/dex-v2/pool/VaderPoolV2.sol#L237-L269
These losses are then refunded to the LP in VADER tokens from the reserve
https://github.com/code-423n4/2021-11-vader/blob/3a43059e33d549f03b021d6b417b7eeba66cf62e/contracts/dex-v2/router/VaderRouterV2.sol#L208-L227
This loss is calculated by the current reserves of the pool so if an LP can manipulate the pool's reserves they can artificially engineer a huge amount of IL in order to qualify for a payout up to the size of their LP position.
https://github.com/code-423n4/2021-11-vader/blob/3a43059e33d549f03b021d6b417b7eeba66cf62e/contracts/dex/math/VaderMath.sol#L73-L93
The attack is then as follows.
The attacker now holds the majority of their flashloaned funds (minus slippage/swap fees) along with a large fraction of the value of their LP position in VADER paid out from the reserve. The value of their LP position is unchanged. Given a large enough LP position, the IL protection funds extracted from the reserve will exceed the funds lost to swap fees and the attacker will be able to repay their flashloan with a profit.
This is a high risk issue as after a year any large LP is incentivised and able to perform this attack.
Recommended Mitigation Steps
Use a manipulation resistant oracle for the relative prices of the pool's assets (TWAP, etc.)