Open code423n4 opened 2 years ago
The warden has shown how the LP Token Pricing math is incorrect, this is a mispricing that historically has resulted in total loss of funds and the subject is well known
Remediation can be attained by following the guide linked: https://cmichel.io/pricing-lp-tokens/
Because the:
High Severity is appropriate
Lines of code
https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Stableswap/BaseV1-periphery.sol#L522-L526 https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Stableswap/BaseV1-periphery.sol#L198-L217
Vulnerability details
The LP pair underlying price quote could be manipulated
Impact
The underlying price for LP pool pair can be manipulated. This kind of price mainpulation happened before, can be found here: Warp Fincance event.
Whick may lead to the exploit of the pool by a malicious user.
Proof of Concept
file: lending-market-v2/contracts/Stableswap/BaseV1-periphery.sol 522-526, 198-217:
The price of the LP pair is determined by the TVL of the pool, given by:
amt0 * price0 + amt1 * price1
. However, when a malicious user dumps large amount of any token into the pool, the whole TVL will be significantly increased, which leads to inproper calculation of the price.Tools Used
mannual analysis
Recommended Mitigation Steps
A differenct approach to calculate the LP price can be found here.