Open code423n4 opened 1 year ago
asselstine marked the issue as sponsor confirmed
Picodes changed the severity to 2 (Med Risk)
Picodes changed the severity to 3 (High Risk)
Picodes marked the issue as satisfactory
Picodes changed the severity to 2 (Med Risk)
If someone deposits a small amount frequently, currentPeriod and newestObservationPeriod will always be the same and new observation won't be created
-> this only works for small deposit within the same PERIOD_LENGTH
, otherwise timestamp roundings will differ.
This reports shows how by leveraging the fact that new observations are not created if the previous observations falls within the same period, an attacker could modify its average balance for the final period if a draw ends within a period.
Added safe boundary checks: https://github.com/GenerationSoftware/pt-v5-twab-controller/pull/5
Lines of code
https://github.com/GenerationSoftware/pt-v5-twab-controller/blob/0145eeac23301ee5338c659422dd6d69234f5d50/src/libraries/TwabLib.sol#L352-L391
Vulnerability details
Impact
Users can alter the record of their balances.
Proof of Concept
If users delegateBalance has changed, observations will be recorded. If there is a need for new observation, new observation will be created otherwise will be overwritten.
And new observation creation will be decided in the _getNextObservationIndex() function.
newestObservationPeriod is the last observations period. currentPeriod is a period that calculated with uint32 currentTime = uint32(block.timestamp).
The problem is, If someone deposits a small amount frequently, currentPeriod and newestObservationPeriod will always be the same and new observation won't be created. Attackers can keep doing this until closeDraw and manipulate their balances.
According to the docs : If a draw were to start and end within a period a user would be able to alter the record of their balance for that draw by overwriting an Observation.
It is important to note that due to Observation overwriting, average balances for a period are not finalized until a period ends. Therefore if a draw ends but a period has not, a user would be able to manipulate their average balance for that final period of time after the draw ends. This would result in an inaccurate record of their balance held during the draw.
Tools Used
Manual Review
Recommended Mitigation Steps
Assessed type
Other