search

code-423n4 / 2023-10-badger-findings

1 stars 1 forks source link

Risk of Treasury Draining Attack #64

Closed c4-submissions closed 11 months ago

c4-submissions commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-10-badger/blob/f2f2e2cf9965a1020661d179af46cb49e993cb7e/packages/contracts/contracts/ActivePool.sol#L261-L310

Vulnerability details

The smart contract, which combines flash lending and borrowing from a third party, is susceptible to a treasury draining attack. This attack involves leveraging a flash mint to borrow a large amount of tokens, pushing the system to its borrowing limit, and triggering a debt rate increase in the underlying lender. The vulnerability arises due to inadequate borrowing limits and rate control mechanisms in the contract.

Impact

Proof of Concept

Although this function (flashLoan) implements the ERC-3156 standard, it lacks essential safeguards to prevent a treasury draining attack.The ActivePool contract does not incorporate strict borrowing limits. As a result, a malicious flash lender can exploit a flash mint to borrow a large amount of tokens, potentially pushing the contract to its borrowing limit.

function flashLoan(
    IERC3156FlashBorrower receiver,
    address token,
    uint256 amount,
    bytes calldata data
) external override returns (bool) {
    // ... (rest of the function)
    emit FlashLoanSuccess(address(receiver), token, amount, fee);

    return true;
}
  1. Flash Mint Attack:
    • The attacker initiates a flash mint, allowing them to borrow an extremely large amount of the native token (e.g., FOO tokens) from the ActivePool contract.
  2. Borrowing and Conversion:
    • With the flash-minted FOO tokens in their possession, the attacker converts these tokens to a different asset (e.g., BAR tokens). This conversion triggers the ActivePool contract to borrow an equivalent amount of FOO tokens from an external underwriter. As there are no borrowing limits in place, the contract accepts the full amount requested by the attacker.
  3. Debt Rate Manipulation:
    • The attacker manipulates the debt rate in the external underwriter's contract. They exploit vulnerabilities or engage in price manipulation to increase the interest rate associated with the borrowed FOO tokens.
  4. Accumulating Debt:
    • As a result of the increased debt rate, the ActivePool contract incurs substantial interest charges on the borrowed FOO tokens. The debt continues to accumulate rapidly.
  5. Treasury Draining:
    • Over a short period, the debt accrued by the ActivePool contract reaches a critical level. The contract's treasury becomes unable to cover the accumulating debt and interest charges. This situation results in a treasury draining effect, where the contract's assets are insufficient to cover its liabilities.
  6. Financial Instability:
    • The financial instability caused by the treasury draining attack could lead to multiple adverse consequences, including:

      Inability to honor withdrawal requests from users. Disruption of the normal operation of the contract. Potential insolvency and loss of funds for users and stakeholders. Damage to the reputation and trustworthiness of the contract.

      Tools Used

      Manual

      Recommended Mitigation Steps

      ActivePool contract should implement strict borrowing limits and rate control mechanisms to prevent excessive borrowing and respond to rapid changes in interest rates.

Assessed type

Other

c4-pre-sort commented 11 months ago

bytes032 marked the issue as insufficient quality report

c4-judge commented 11 months ago

jhsagd76 marked the issue as unsatisfactory: Invalid