search

code-423n4 / 2024-01-curves-findings

1 stars 0 forks source link

Flash Loan Attack Protections Missing #1365

Closed c4-bot-6 closed 10 months ago

c4-bot-6 commented 10 months ago

Lines of code

https://github.com/code-423n4/2024-01-curves/blob/main/contracts/Curves.sol#L211

Vulnerability details

The contract's buyCurvesToken and sellCurvesToken functions do not have any protections against flash loan attacks. A user could potentially take out a flash loan, buy a large number of Curves tokens to manipulate the price, and then sell them within the same transaction block.

function buyCurvesToken(address curvesTokenSubject, uint256 amount) public payable {
        uint256 startTime = presalesMeta[curvesTokenSubject].startTime;
        if (startTime != 0 && startTime >= block.timestamp) revert SaleNotOpen();

        _buyCurvesToken(curvesTokenSubject, amount);
    }
function sellCurvesToken(address curvesTokenSubject, uint256 amount) public {
        uint256 supply = curvesTokenSupply[curvesTokenSubject];
        if (supply <= amount) revert LastTokenCannotBeSold();
        if (curvesTokenBalance[curvesTokenSubject][msg.sender] < amount) revert InsufficientBalance();

        uint256 price = getPrice(supply - amount, amount);

        curvesTokenBalance[curvesTokenSubject][msg.sender] -= amount;
        curvesTokenSupply[curvesTokenSubject] = supply - amount;

        _transferFees(curvesTokenSubject, false, price, amount, supply);
    }

Impact

Flash loan attacks involve borrowing a large amount of assets (usually from a DeFi protocol), manipulating the market or contract state within a single transaction, and then repaying the loan. This can lead to artificial inflation or deflation of token prices, allowing the attacker to profit at the expense of other users or the protocol itself.

Mitigation

To mitigate the risk of flash loan attacks, the contract could implement a cooldown period between buys and sells or check that the caller has held the tokens for a certain period before allowing a sell. This would prevent the immediate buy-sell action within the same block that is characteristic of flash loan attacks.

Assessed type

Context

c4-pre-sort commented 10 months ago

raymondfam marked the issue as insufficient quality report

c4-pre-sort commented 10 months ago

raymondfam marked the issue as duplicate of #565

c4-judge commented 10 months ago

alcueca marked the issue as unsatisfactory: Invalid