Closed c4-bot-2 closed 7 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as primary issue
Invalid assumption.
Invalid assumption.
andresaiello (sponsor) disputed
alcueca marked the issue as unsatisfactory: Insufficient quality
alcueca marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-01-curves/blob/main/contracts/FeeSplitter.sol#L43-L46
Vulnerability details
The totalSupply function in the FeeSplitter contract contains a calculation error. The subtraction of curves.curvesTokenBalance(token, address(curves)) from curves.curvesTokenSupply(token) should be multiplied
Impact
Scenario:
An attacker exploits the incorrect calculation in the totalSupply function of the FeeSplitter contract to manipulate the reported total supply, leading to deceptive information about the actual token distribution.
Impact:
Manipulation of Token Metrics:
The attacker could execute a series of transactions that trigger the totalSupply function to miscalculate the total supply of a specific token within the FeeSplitter contract.
By exploiting this vulnerability, the attacker artificially inflates or deflates the reported total supply, creating a false perception of the token's actual circulation.
Deceptive Yield Farming:
Yield farming platforms or liquidity pools relying on accurate total supply values may be deceived by the manipulated metrics. Users participating in these platforms might experience inaccurate yield calculations, affecting their decision-making and potentially leading to financial losses.
Decoy for Front-Running:
The manipulated total supply could serve as a decoy for front-running attacks during token swaps or trades on decentralized exchanges. Attackers may take advantage of the misinformation to execute trades ahead of other market participants, exploiting price discrepancies.
Compromised Governance Decisions:
If the total supply is used as a parameter for governance decisions, the manipulated data may influence voting outcomes. Attackers could potentially sway governance decisions in their favor by presenting false information about the distribution of tokens. Impact on Reputation:
Inaccurate reporting of total supply undermines the trust and credibility of the project, affecting its reputation in the decentralized finance (DeFi) community. Users and investors may lose confidence in the project's transparency and reliability.
Proof of Concept
Deploy the FeeSplitter contract. Call the totalSupply function with a specific token address. Expected Behavior: The totalSupply function should accurately calculate the total supply of the specified token, accounting for locked tokens in the ERC20 contract.
Actual Behavior: Due to the missing multiplication by PRECISION, the calculated total supply be incorrect, leading to discrepancies in various protocol functionalities.
Tools Used
Manual review
Recommended Mitigation Steps
Assessed type
Decimal