Max Price Ratio Manipulation

[code423n4]

Lines of code

https://github.com/code-423n4/2023-08-shell/blob/c61cf0e01bada04c3d6055acb81f61955ed600aa/src/proteus/EvolvingProteus.sol#L259

Vulnerability details

Impact

Vulnerable Part in Code:

py_init.div(py_init.sub(px_init)) > ABDKMath64x64.divu(uint(MAX_PRICE_RATIO), 1)

• here is A scenario where the range of acceptable price ratios is between 1 and 100 ( for instance, due to a misconfiguration or oversight, the constant MAX_PRICE_RATIO is set to a ridiculously high value of 10^10. Now, let's say an attacker submits input values such that the calculated price ratio using the provided formula is slightly below the abnormally high value of MAX_PRICE_RATIO. For instance, imagine the following values:

py_init (initial y-axis price) = 10^12 (1 trillion)
px_init (initial x-axis price) = 1

The calculation ratio is 1

price_ratio = 10^12 / (10^12 - 1) ≈ 1 (approximately)

MAX_PRICE_RATIO is set to 10^10 (10 billion), the condition for the vulnerability is met:

1 > 10^10 (condition is true)

This show the vulnerability triggers, and the system accepts this price ratio as valid, even though it's vastly different from what's expected and reasonable within the context of the application.

With this manipulation, an attacker can:

• Bypass intended bounds checks.
• Trick the system into processing transactions based on anomalous price ratios.
• manipulate the outcome of calculations, leading to financial gain for the attacker and loss for other users.

Proof of Concept

Scenario: Imagine an Automated Market Maker as AMM protocol that uses the code you provided, including the MAX_PRICE_RATIO value set to an unexpectedly high value. This protocol allows users to swap between two tokens, X and Y, based on their price ratio. The legitimate and reasonable price ratio range for this scenario is 1 to 100.

Exploitation Steps:

Attacker examines the smart contract code and discovers the MAX_PRICE_RATIO vulnerability. Attacker prepares a transaction to exploit the vulnerability.

Let's assume the following values:

MAX_PRICE_RATIO = 10^10
py_init (initial y-axis price) = 1000 (1,000 units of token Y)
px_init (initial x-axis price) = 10 (10 units of token X)

The attacker calculates the expected price ratio:

expected_price_ratio = 1000 / (1000 - 10) = 1.010101...

Since expected_price_ratio is significantly lower than MAX_PRICE_RATIO, the attacker knows that a transaction involving this price ratio should be accepted, even though it's not reasonable.

The attacker crafts a swap transaction with the following parameters:

Input amount: 1000 units of token X
Output amount: 990 units of token Y based on the expected price ratio

The attacker submits the transaction, and the system processes it successfully. The smart contract doesn't reject the transaction due to the vulnerability.

Tools Used

• Manual review

  Recommended Mitigation Steps

• Set MAX_PRICE_RATIO to a value that accurately reflects the upper limit of the intended price ratio range.

Assessed type

Other

[c4-pre-sort]

0xRobocop marked the issue as low quality report

[0xRobocop]

Insufficient proof.

Invalid premises:

for instance, due to a misconfiguration or oversight, the constant MAX_PRICE_RATIO is set to a ridiculously high value of 10^10.

MAX_PRICE_RATIO is hardcoded:

int256 constant MAX_PRICE_RATIO = 10**4; // to be comparable with the prices calculated through abdk math

[c4-pre-sort]

0xRobocop marked the issue as duplicate of #6

[c4-pre-sort]

0xRobocop marked the issue as sufficient quality report

[c4-pre-sort]

0xRobocop marked the issue as not a duplicate

[c4-pre-sort]

0xRobocop marked the issue as low quality report

[c4-pre-sort]

0xRobocop marked the issue as primary issue

[c4-judge]

JustDravee marked the issue as unsatisfactory: Insufficient proof