pool funds can be stolen in the following steps:
take a flashloan of foreignAsset.
swap the loan amount to the native asset, thus raising its price.
call mintSynth to mint synth for cheap price.
swap the native asset from the swap back to foreignAsset.
burn all synth for a high price.
swap some of the native asset to foreignAsset to have enough funds to repay the flashloan.
repay the flash loan and take the profit.
burnSynth is also vulnerable to price manipulation!
jack-the-pug
commented
2 years ago
Handle
certora
Vulnerability details
https://github.com/code-423n4/2021-12-vader/blob/main/contracts/dex-v2/pool/VaderPoolV2.sol#L153
mintSynthis vulnerable to price manipulation.amountSynthis calculated based on the current price, which can be manipulated.Impact
Pool funds can be stolen.
Proof of Concept
pool funds can be stolen in the following steps: take a flashloan of
foreignAsset. swap the loan amount to the native asset, thus raising its price. callmintSynthto mint synth for cheap price. swap the native asset from the swap back toforeignAsset. burn all synth for a high price. swap some of the native asset toforeignAssetto have enough funds to repay the flashloan. repay the flash loan and take the profit.