search

code-423n4 / 2023-07-amphora-findings

3 stars 2 forks source link

Some curve pools have implementations such that Amphora's liquidations always revert. #386

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-07-amphora/blob/daae020331404647c661ab534d20093c875483e1/core/solidity/contracts/periphery/oracles/EthSafeStableCurveOracle.sol#L36-L44

Vulnerability details

Impact

_updateVirtualPrice would always revert for some curve pools

Proof of Concept

In EthSafeStableCurveOracle.sol, the _updateVirtualPrice function calls remove_liquidity with 0 as the amount to lock the curve pool and prevent reentrancy attacks. However, for certain Curve pools like the CRV/ETH pool (0x8301ae4fc9c624d1d396cbdaa1ed877821d7c511, https://curve.fi/#/ethereum/pools/crveth/) calling remove_liquidity(0, [0,0]) always reverts due to an underflow.

Tools Used

Manual review

Recommended Mitigation Steps

Use the claim_admin_fees function instead of remove_liquidity.

Assessed type

Under/Overflow

c4-pre-sort commented 1 year ago

minhquanym marked the issue as duplicate of #105

c4-judge commented 1 year ago

dmvt marked the issue as unsatisfactory: Insufficient quality