Closed code423n4 closed 1 year ago
Keref marked the issue as sponsor disputed
There is no exchangeRate, and when getTVL() value is used for liquidity calculation purposes deposit/withdraw, there is an explicit price manipulation check require(poolMatchesOracle(), "GEV: Oracle Error");
gzeon-c4 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/GeVault.sol#L396
Vulnerability details
Impact
getTVL get the total value of the tick's lp and participate in the calculation of exchangeRate. As a result, price updates can be easily attacked by sandwich. Attackers can use exchangeRate updates to carry out sandwich arbitrage and steal all the funds, and other users will not be able to withdraw.
Proof of Concept
The POC below provides a simplified utilization code. The attacker used the sandwich to buy low and sell high to steal the tokens in the vault and when other users withdrew, the balance was insufficient.
Tools Used
Foundry
Recommended Mitigation Steps
External price variables should not be used for exchangeRate calculations
Assessed type
MEV