All bond evaluations are dynamic within the KUMASwap::sellBond and KUMASwap::buyBond functions, however, they operate with token IDs as input arguments and do not perform any sanitization on the amount of KIB tokens minted or burned respectively.
In turn, this can lead to the user receiving fewer funds than they expected for the sale of a bond or the user paying a higher amount of KIB tokens than they were willing to. As the blockchain state between a transaction's submission to the network and a transaction's execution can differ, this is a significant issue commonly known as a slippage vulnerability.
The issue is especially applicable in the case of a purchase as the evaluation of a bond increases per second based on the implementation of KUMASwap::_getBondValue.
Proof of Concept
N/A
Tools Used
Manual review.
Recommended Mitigation Steps
The codebase should follow the DEX paradigm of an additional parameter signaling the minimum output / maximum input a user is willing to provide for a particular swap. In the case of a sale, the value should be utilized as a minimum amount of KIB tokens they will receive. In the case of a purchase, the value should be utilized as a maximum instead. We should note that regardless of the bond's evaluation, the interest accrued in the KIBToken (getUpdatedCumulativeYield) can also be influenced between a transaction's submission and a transaction's execution in the network by invoking KIBToken::refreshYield.
Lines of code
https://github.com/code-423n4/2023-02-kuma/blob/main/src/kuma-protocol/KUMASwap.sol#L166 https://github.com/code-423n4/2023-02-kuma/blob/main/src/kuma-protocol/KUMASwap.sol#L224
Vulnerability details
Impact
All bond evaluations are dynamic within the
KUMASwap::sellBond
andKUMASwap::buyBond
functions, however, they operate with token IDs as input arguments and do not perform any sanitization on the amount ofKIB
tokens minted or burned respectively.In turn, this can lead to the user receiving fewer funds than they expected for the sale of a bond or the user paying a higher amount of
KIB
tokens than they were willing to. As the blockchain state between a transaction's submission to the network and a transaction's execution can differ, this is a significant issue commonly known as a slippage vulnerability.The issue is especially applicable in the case of a purchase as the evaluation of a bond increases per second based on the implementation of
KUMASwap::_getBondValue
.Proof of Concept
N/A
Tools Used
Manual review.
Recommended Mitigation Steps
The codebase should follow the DEX paradigm of an additional parameter signaling the minimum output / maximum input a user is willing to provide for a particular swap. In the case of a sale, the value should be utilized as a minimum amount of
KIB
tokens they will receive. In the case of a purchase, the value should be utilized as a maximum instead. We should note that regardless of the bond's evaluation, the interest accrued in theKIBToken
(getUpdatedCumulativeYield
) can also be influenced between a transaction's submission and a transaction's execution in the network by invokingKIBToken::refreshYield
.