H-01 Unmitigated

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-09-asymmetry/blob/6b4867491350f8327d0ac4f496f263642cf3c1be/contracts/AfEth.sol#L148-L169

Vulnerability details

Mitigation of H-01: Mitigation Error, see comments

Link to Issue: https://github.com/code-423n4/2023-09-asymmetry-findings/issues/62

Comments

The sponsor has provided a detailed response in the following comment: https://github.com/code-423n4/2023-09-asymmetry-findings/issues/62#issuecomment-1760305328

In summary their analysis is:

• The conditions to expose the issue are unlikely, it needs a deviation of the intended ratio while also a deviation of the CVX/ETH Chainlink feed price.
• The sponsor was able to reproduce the issue, but for a maximum difference of 2% in the Chainlink CVX price, the difference between the target ratio and the real ratio needs to be large.

As the sponsor comments:

Based on this analysis we think a 2% chainlink variance is an acceptable risk, even when the ratios are far apart.

However, the accepted risk is also justified by the introduction of a minimum delay in the withdrawal process:

in another pull request we set a minimum withdraw time of 1 epoch so its impossible to instantly withdraw even if there are unlockable funds in the contract.

Given the error with the withdrawal delay in VotiumStrategy, detailed in issue [ADRIRO-NEW-H-01] (VotiumStrategy withdrawal can still be executed with minimal delay), which still offers the possibility of depositing into the protocol with minimal exposure to CVX, the attack is still feasible and can be performed under the right circumstances. The assessment is that the issue is still present and it has not been mitigated.

Assessed type

Other

[toshiSat]

dupe #12

[d3e4]

dupe #12

This report (#26) states as only reason for being unmitigated the false assumption that the withdrawal delay added was one week, whereas it can be as low as one block.

H-01 was never primarily about an immediate withdrawal, and the withdrawal delay is at most of secondary importance in the mitigation. Therefore the impact of the lacking mitigation, as argued here, is quite low. Were it not for the fact that the withdrawal delay was explicitly stated as part of the mitigation, the false assumption of the withdrawal delay would be mostly irrelevant here.

12 provides much more reason for being unmitigated, to the point that it contains what may even be considered a new issue.

It therefore does not seem correct to consider #26 and #12 mere duplicates, but some distinction has to be made between them. Either that #12 has a greater impact than #26, or that both are duplicates in an unmitigated H-02 but that #12 is also a new issue.

[c4-judge]

0xleastwood marked the issue as satisfactory

[c4-judge]

0xleastwood marked the issue as confirmed for report

[c4-judge]

0xleastwood marked the issue as not confirmed for report

[c4-judge]

0xleastwood marked the issue as confirmed for report