Closed code423n4 closed 1 year ago
141345 marked the issue as primary issue
Keref marked the issue as sponsor disputed
Rebalance doesnt do swaps but only moves assets around. Value of underlying assets only depends on assets price and amounts, not how those are distributed among various Uniswap positions.
gzeon-c4 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-08-goodentry/blob/main/contracts/GeVault.sol#L280 https://github.com/code-423n4/2023-08-goodentry/blob/main/contracts/GeVault.sol#L226-L239
Vulnerability details
Impact
When prices move, vault will do
rebalance
to adjust its token distribution. However, due to the placement ofrebalance
call insidedeposit
andwithdraw
, user can easily sandwich the operations.Proof of Concept
Consider this scenario :
GeVault
that hold ETH/USDC not yet rebalance to this price.deposit
, will still use current vault value when calculating the amount ofliquidity
received :https://github.com/code-423n4/2023-08-goodentry/blob/main/contracts/GeVault.sol#L247-L284
It can be observed that
liquidity
calculated usingvaultValueX8
fromgetTVL()
operation :https://github.com/code-423n4/2023-08-goodentry/blob/main/contracts/GeVault.sol#L392-L397
And the
valueX8
depend onlatestAnswer
call that will eventually callreturnExpectedBalanceWithoutFees
to determined token amounts that will be used to determine the value :If price go up, but rebalance not yet happened, the
amt1
token portion used will be bigger and this cause the vault value will be lower.So user will mint
liquidity
based on this value,rebalance
operation happened after this calculation. Right afterdeposit
, user can callwithdraw
to get the profit from price movement.Tools Used
Manual review
Recommended Mitigation Steps
Consider to move
rebalance
operation before thedeposit
andwithdraw
operation :Assessed type
MEV