search

code-423n4 / 2023-07-tapioca-findings

15 stars 10 forks source link

Calc token amount can be manipulated #1647

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/Tapioca-DAO/tapioca-yieldbox-strategies-audit/blob/05ba7108a83c66dada98bc5bc75cf18004f2a49b/contracts/curve/TricryptoLPGetter.sol#L200-L203

Vulnerability details

Impact

    function _calcDepositInOneCoin(
        uint256[3] memory arr
    ) private view returns (uint256) {
        return liquidityPool.calc_token_amount(arr, true);
    }

This function is being used to calculate slippage, return value calc_token_amount can be manipulated (as described in POC section), liquidity addition and removal can bypass slippage check and sandwitched.

Proof of Concept

Here calc_token_amount relies on virtual_price of the pool which can be heavily manipulated by re-entering after changing virtial_price and withdrawing in native ETH (via fallback function) due to imbalance using flashloan (read-only re-entrancy)

Tools Used

Manual Review

Recommended Mitigation Steps

Use offchain oracles to mark slippage checks

Assessed type

Oracle

c4-pre-sort commented 1 year ago

minhquanym marked the issue as duplicate of #163

c4-pre-sort commented 1 year ago

minhquanym marked the issue as duplicate of #245

c4-judge commented 1 year ago

dmvt marked the issue as unsatisfactory: Insufficient quality