search

code-423n4 / 2023-09-asymmetry-findings

2 stars 1 forks source link

`VotiumStrategy.price()` does not validate Chainlink response #64

Closed c4-submissions closed 1 year ago

c4-submissions commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-09-asymmetry/blob/6b4867491350f8327d0ac4f496f263642cf3c1be/contracts/strategies/votium/VotiumStrategy.sol#L32

Vulnerability details

Impact

AfEth.deposit() may mint an incorrect amount of afEth. VotiumStrategy.price() may return an incorrect price of vAfEth. AfEth.price() may return an incorrect price of afEth.

Proof of Concept

VotiumStrategy.price()

function price() external view override returns (uint256) {
    return (cvxPerVotium() * ethPerCvx(false)) / 1e18;
}

calls ethPerCvx(false) where false implies that the Chainlink response is not validated. VotiumStrategy.price() may thus return an invalid value. VotiumStrategy.price() is used by AfEth.price() in the calculation of the price of afEth. Both of these price() are used in AfEth.deposit() to calculate the amount of afEth to mint. If the Chainlink response is invalid an incorrect amount of afEth may thus be minted, instead of reverting.

Recommended Mitigation Steps

ethPerCvx(true) is used in the far less critical AfEth.depositRewards(). It should be used here as well.

Assessed type

Invalid Validation

elmutt commented 1 year ago

https://github.com/asymmetryfinance/afeth/pull/165 https://github.com/asymmetryfinance/afeth/pull/177

c4-judge commented 1 year ago

0xleastwood marked the issue as duplicate of #34

c4-judge commented 1 year ago

0xleastwood marked the issue as satisfactory

c4-judge commented 1 year ago

0xleastwood changed the severity to 3 (High Risk)

c4-judge commented 1 year ago

0xleastwood marked the issue as partial-50

0xleastwood commented 1 year ago

Partial credit because it is lacking additional information about impact.

c4-judge commented 1 year ago

0xleastwood removed the grade

d3e4 commented 1 year ago

Partial credit because it is lacking additional information about impact.

What information about impact is missing? The main issue #34 explains the calculation chain such that the invalid Chainlink response implies an invalid VotiumStrategy price, which implies an invalid afEth price, which implies an invalid mint amount. This is precisely the impact stated here as well.

0xleastwood commented 12 months ago

Noted.

c4-judge commented 12 months ago

0xleastwood marked the issue as full credit

c4-judge commented 12 months ago

0xleastwood marked the issue as satisfactory