c4-judge
commented
1 year ago 0xleastwood marked the issue as primary issue
Closed c4-submissions closed 1 year ago
c4-judge
commented
1 year ago 0xleastwood marked the issue as primary issue
c4-judge
commented
1 year ago 0xleastwood marked the issue as duplicate of #39
c4-judge
commented
1 year ago 0xleastwood marked the issue as duplicate of #23
c4-judge
commented
1 year ago 0xleastwood changed the severity to 3 (High Risk)
c4-judge
commented
1 year ago 0xleastwood marked the issue as satisfactory
c4-judge
commented
1 year ago 0xleastwood marked the issue as partial-25
0xleastwood
commented
1 year ago Giving partial credit because it only outlines sandwich attack on depositRewards() and not the two other functions as outlined in the primary issue.
c4-judge
commented
1 year ago 0xleastwood marked the issue as partial-50
elmutt
commented
1 year ago I dont think our planned fixes for #23 will necessarily fix this issue (I see it marked as a dupe of #23)
toshiSat
commented
12 months ago
- Make
depositRewards()being invoked internally only by underlying strategies.
I agree, putting a min_out on depositRewards would not prevent this attack
elmutt
commented
12 months ago https://github.com/asymmetryfinance/afeth/pull/190
this should solve it
Lines of code
https://github.com/code-423n4/2023-09-asymmetry/blob/main/contracts/AfEth.sol#L272-L293
Vulnerability details
Vulnerability Details
Upon claiming Votium rewards,
applyRewards()is intended to be invoked in order to exchange the tokens for eth and put the eth received back into the strategies. Based on the currentratioit either stakes the amount into safETH or obtains some CVX by selling eth on Curve and then locks them to get vlCVX.Since
afETH.depositRewards()orVotiumStrategy.depositRewards()can be called by anyone, an adversary is able to manipulate the CVX/ETH pool in such a way that the CVX tokens will be bought at inflated rates creating an arbitrage opportunity for an adversary.Impact
It's possible to steal any eth hold by
afETHorVotiumStrategy.But when exactly
afETHorVotiumStrategywill hold some eth apart from accidental eth transfers? This has been discussed with the sponsors and we have the following context:Possibility to boost user rewards by dropping additional eth and re-investing them after the rewards being received. The time difference between additional eth being dropped and rewards from Votium being claimed is exactly what an adversary needs to steal that additional eth.
In a case, where the
ratio > safEthRatiorewarder oracle will not be able to invokeapplyRewards()after rewards being claimed due to the min deposit amount limits setted by safETH, which ultimately results in tx reversion.Upon further supporting more strategies.
Marking this as medium severity, since the impact is critical, but the likelihood is low/medium.
Proof of Concept
afETH.depositRewards()/VotiumStrategy.depositRewards()while the rates are inflated.Recommended Mitigation Steps
Short term:
depositRewards()being invoked internally only by underlying strategies.Long term:
x%, the whole tx will be reverted. Basically, setting the slippage control by utilizing price oracles.Assessed type
Context