search

code-423n4 / 2024-01-curves-findings

0 stars 0 forks source link

Incorrect Calculation in totalSupply Function in FeeSplitter Contract #1326

Closed c4-bot-2 closed 7 months ago

c4-bot-2 commented 8 months ago

Lines of code

https://github.com/code-423n4/2024-01-curves/blob/main/contracts/FeeSplitter.sol#L43-L46

Vulnerability details

The totalSupply function in the FeeSplitter contract contains a calculation error. The subtraction of curves.curvesTokenBalance(token, address(curves)) from curves.curvesTokenSupply(token) should be multiplied

Impact

Scenario:

An attacker exploits the incorrect calculation in the totalSupply function of the FeeSplitter contract to manipulate the reported total supply, leading to deceptive information about the actual token distribution.

Impact:

Manipulation of Token Metrics:

The attacker could execute a series of transactions that trigger the totalSupply function to miscalculate the total supply of a specific token within the FeeSplitter contract.

By exploiting this vulnerability, the attacker artificially inflates or deflates the reported total supply, creating a false perception of the token's actual circulation.

Deceptive Yield Farming:

Yield farming platforms or liquidity pools relying on accurate total supply values may be deceived by the manipulated metrics. Users participating in these platforms might experience inaccurate yield calculations, affecting their decision-making and potentially leading to financial losses.

Decoy for Front-Running:

The manipulated total supply could serve as a decoy for front-running attacks during token swaps or trades on decentralized exchanges. Attackers may take advantage of the misinformation to execute trades ahead of other market participants, exploiting price discrepancies.

Compromised Governance Decisions:

If the total supply is used as a parameter for governance decisions, the manipulated data may influence voting outcomes. Attackers could potentially sway governance decisions in their favor by presenting false information about the distribution of tokens. Impact on Reputation:

Inaccurate reporting of total supply undermines the trust and credibility of the project, affecting its reputation in the decentralized finance (DeFi) community. Users and investors may lose confidence in the project's transparency and reliability.

Proof of Concept

Deploy the FeeSplitter contract. Call the totalSupply function with a specific token address. Expected Behavior: The totalSupply function should accurately calculate the total supply of the specified token, accounting for locked tokens in the ERC20 contract.

Actual Behavior: Due to the missing multiplication by PRECISION, the calculated total supply be incorrect, leading to discrepancies in various protocol functionalities.

Tools Used

Manual review

Recommended Mitigation Steps

function totalSupply(address token) public view returns (uint256) {
    //@dev: this is the amount of tokens that are not locked in the contract. The locked tokens are in the ERC20 contract
    return (curves.curvesTokenSupply(token) - curves.curvesTokenBalance(token, address(curves))) * PRECISION / PRECISION;
}

Assessed type

Decimal

c4-pre-sort commented 8 months ago

raymondfam marked the issue as insufficient quality report

c4-pre-sort commented 8 months ago

raymondfam marked the issue as primary issue

raymondfam commented 8 months ago

Invalid assumption.

andresaiello commented 7 months ago

Invalid assumption.

c4-sponsor commented 7 months ago

andresaiello (sponsor) disputed

c4-judge commented 7 months ago

alcueca marked the issue as unsatisfactory: Insufficient quality

c4-judge commented 7 months ago

alcueca marked the issue as unsatisfactory: Invalid