Attacker can extract value from pool by sandwiching herself at `swapAll` during `close`

[c4-submissions]

Lines of code

https://github.com/GoodEntry-io/ge/blob/c7c7de57902e11e66c8186d93c5bb511b53a45b8/contracts/PositionManager/OptionsPositionManager.sol#L454

Vulnerability details

Attacker can drain the lending pool by leveraging two facts:

1. swapAll allows 1% slippage
2. There is no Health Factor check after close.

Alice and Bob are good friends, the steps are (in one single tx):

1. Alice deposits 10000 USDT and borrows 7000$ worth of TR.
2. Bob buys ETH at AMM to push up the price to oracle + 1%.
3. Alice close but only repays 1 wei debt. The real intention is to swap from USDT collateral to ETH collateral.
4. Bob sells ETH at AMM to pull down the price to oracle - 1%.
5. Alice close but only repays 1 wei debt to swap to USDT collateral.
6. Repeat
7. Alice has 0 collateral and Bob gains 10000 USDT by sandwiching.

By continues sandwiching Alice, Bob can extract value from the pool. A simple mitigation is to add a HF check after each swap.

Assessed type

Context

[c4-judge]

gzeon-c4 marked the issue as satisfactory

[c4-judge]

gzeon-c4 marked the issue as unsatisfactory: Insufficient proof

[gzeon-c4]

Besides sandwiching is usually out-of-scope, warden's POC of Alice and Bob acting together failed to show it is profitable as an attack.

[xuwinnie]

Hey @gzeon-c4 , this is not just a sandwich, the main point is lack of health factor check. Sponsor has confirmed and fixed this in PR17 . The attack is profitable because originally Alice should not be able to remove all the collateral since she has outstanding debt but now she will be able to do so.

[c4-judge]

gzeon-c4 removed the grade

[c4-judge]

gzeon-c4 marked the issue as satisfactory

[c4-judge]

gzeon-c4 marked the issue as selected for report