c4-judge
commented
1 year ago kirk-baird marked the issue as primary issue
Open code423n4 opened 1 year ago
c4-judge
commented
1 year ago kirk-baird marked the issue as primary issue
c4-sponsor
commented
1 year ago vaporkane marked the issue as sponsor acknowledged
c4-judge
commented
1 year ago kirk-baird marked the issue as selected for report
Lines of code
https://github.com/code-423n4/2023-05-xeth/blob/main/src/AMO2.sol#L239 https://github.com/code-423n4/2023-05-xeth/blob/main/src/AMO2.sol#L286
Vulnerability details
Rebalance amounts should be checked so that updated balances falls within thresholds
Rebalance operations are allowed when the current percentage of xETH in the Curve pool is outside the defined thresholds. However, there is no check to ensure that the amount of xETH added or burned from the pool will update the percentage to be within the limits.
Impact
Rebalance actions in the AMO contract are first validated to ensure that a rebalance is indeed needed in the first place. This is implemented by calculating the percentage of xETH in the pool, and comparing the result against two limits that define an acceptable range.
Rebalance up is allowed when the percentage of xETH in the Curve pool is above the
REBALANCE_UP_THRESHOLD, in which case xETH is withdrawn from the pool and burned to lower the percentage. Similarly, rebalance down is allowed when the percentage falls below theREBALANCE_DOWN_THRESHOLDvalue, in which case xETH is minted and added to the pool, increasing the percentage.While care is taken to ensure that these operations are indeed only allowed when the percentages are outside the defined bounds, there is no check to ensure that the amount of xETH burned or minted will update the percentage to be within the bounds.
Proof of concept
During a rebalance operation, a malicious or improperly operating defender can exploit the opportunity to modify the pool balance in their favor, potentially exceeding the desired boundaries.
For example, if
xEthPct > REBALANCE_UP_THRESHOLDis true, thepreRebalanceCheck()function would allow arebalanceUp()operation. In such a scenario, the defender could deliberately lower the percentage to below the desiredREBALANCE_DOWN_THRESHOLD, potentially gaining an advantage if the account is compromised or if there is a malfunction in the bot operating off-chain.Recommendation
Add a check to ensure that updated balances comply with the thresholds boundaries. When minting or burning xETH from the pool, the updated balance of xETH should produce a percentage that is within the accepted range.
Assessed type
Invalid Validation