Closed c4-bot-9 closed 9 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as duplicate of #31
0xA5DF marked the issue as unsatisfactory: Invalid
@0xA5DF @raymondfam Thank you for judging this. In my opinion, this is definitely an issue and displays a wider problem that the primary issue it was linked to. While the root cause is the same, it doesn't convey the same impact. What I'm proving here is that any user is able to unwrap their assets without paying fees EVEN IF the total amount they want to unwrap is larger than the value of unwrapFeeDivisor. This is definitely griefting since the exploit is possible with any amount of tokens: implicitly with unwrap amount smaller than unwrapFeeDivisor (the linked issue), and explicitly with larger amounts through the exploit I've demonstrated here.
See the discussion on #234
Lines of code
https://github.com/code-423n4/2023-11-shellprotocol/blob/main/src/ocean/Ocean.sol#L864-L880 https://github.com/code-423n4/2023-11-shellprotocol/blob/main/src/ocean/Ocean.sol#L978-L984
Vulnerability details
Impact
Users can unwrap their assets from The Ocean and evade paying fees to the protocol when the requested amount is smaller than the fee divisor. This happens due to a truncation of the result in the fee calculation.
Proof of Concept
This affects the _erc20Unwrap() and _etherUnwrap() functions of
Ocean.sol
.This is how fees within The Ocean are calculated:
This is easily bypassable if the user performs multiple withdrawals where the amount is always smaller than the
unwrapFeeDivisor
. This happens due to integer truncation:In our example, this is easier to pull off with tokens with a high decimal count (for example 18) but less favorable with ones like USDC or USDT (6 deciamls) since the amount is upscaled by
_convertDecimals()
.Users can also withdraw everything within one transaction by creating multiple interactions where each unwrap is below the
unwrapFeeDivisor
treshold and executing it using the protocol'sdoMultipleInteractions()
.Here's a POC (I used the
TestCurve2PoolAdapter.t.sol
file):Tools Used
Manual Analysis
Recommended Mitigation Steps
Introduce a minimum withdrawal amount based on the value of
unwrapFeeDivisor
. The value should be upscaled or downscaled based on the decimal count of the wrapped token.Assessed type
Decimal