search

code-423n4 / 2024-02-hydradx-findings

1 stars 0 forks source link

Block-Scoped Volume Counters Enable Constraint Bypass #106

Closed c4-bot-1 closed 6 months ago

c4-bot-1 commented 6 months ago

Lines of code

https://github.com/code-423n4/2024-02-hydradx/blob/603187123a20e0cb8a7ea85c6a6d718429caad8d/HydraDX-node/pallets/circuit-breaker/src/lib.rs#L44-L46 https://github.com/code-423n4/2024-02-hydradx/blob/603187123a20e0cb8a7ea85c6a6d718429caad8d/HydraDX-node/pallets/circuit-breaker/src/lib.rs#L245-L247

Vulnerability details

Summary

Block-Scoped Volume Counters Risk Constraint Bypass The Circuit Breaker tallies trade volumes on a per-block basis to enforce trade limits. However this narrow scope enables constraint bypass by splitting volumes across block boundaries.

The problem manifests in the net volume data structure: HydraDX-node/pallets/circuit-breaker/src/lib.rs

pub struct TradeVolumeLimit<T: Config> {
    pub volume_in: T::Balance,
    pub volume_out: T::Balance,

Aggregating just the current block activity leaves gaps between rounds:

Attackers could exploit by:

  1. Swapping 1000 A => 1500 B in Block X

  2. Swapping 1500 B => 1000 A in Block X+1

Totals 2000 A traded bypassing 500 A ceiling.

Impact

Enables sustained extraction violating volume constraints until detection. Erodes sustainability protections.

Proof of Concept

Based on the Circuit Breaker implementation, the net volume calculation and reset seems to occur in the storage mapping: HydraDX-node/pallets/circuit-breaker/src/lib.rs

#[pallet::getter(fn allowed_trade_volume_limit_per_asset)]
pub type AllowedTradeVolumeLimitPerAsset<T: Config> =
        StorageMap<_, Blake2_128Concat, T::AssetId, TradeVolumeLimit<T>>;

Specifically, reliance on this block-by-block mapping enables splitting attacks: HydraDX-node/pallets/circuit-breaker/src/lib.rs

pub struct TradeVolumeLimit<T: Config> {
    pub volume_in: T::Balance,
    pub volume_out: T::Balance,

With trades crossing block boundaries able to reset tracking and bypass thresholds.

Tools Used

Manual Review

Recommended Mitigation Steps

Adding persistence could strengthen volume accountability.

Solution

Potential solutions could involve modifying the struct like

struct VolumeTracker {

  current_net_volume: Balance 

  window_net_volume: Balance

  window_limit: Balance

}

Adding a persistent tracking accumulator.

Assessed type

Invalid Validation

c4-pre-sort commented 6 months ago

0xRobocop marked the issue as duplicate of #108

c4-pre-sort commented 6 months ago

0xRobocop marked the issue as insufficient quality report

c4-judge commented 6 months ago

OpenCoreCH marked the issue as unsatisfactory: Invalid