Closed c4-bot-1 closed 6 months ago
https://github.com/code-423n4/2024-02-hydradx/blob/603187123a20e0cb8a7ea85c6a6d718429caad8d/HydraDX-node/pallets/circuit-breaker/src/lib.rs#L44-L46 https://github.com/code-423n4/2024-02-hydradx/blob/603187123a20e0cb8a7ea85c6a6d718429caad8d/HydraDX-node/pallets/circuit-breaker/src/lib.rs#L245-L247
Block-Scoped Volume Counters Risk Constraint Bypass The Circuit Breaker tallies trade volumes on a per-block basis to enforce trade limits. However this narrow scope enables constraint bypass by splitting volumes across block boundaries.
The problem manifests in the net volume data structure: HydraDX-node/pallets/circuit-breaker/src/lib.rs
pub struct TradeVolumeLimit<T: Config> { pub volume_in: T::Balance, pub volume_out: T::Balance,
Aggregating just the current block activity leaves gaps between rounds:
Attackers could exploit by:
Swapping 1000 A => 1500 B in Block X
Swapping 1500 B => 1000 A in Block X+1
Totals 2000 A traded bypassing 500 A ceiling.
Enables sustained extraction violating volume constraints until detection. Erodes sustainability protections.
Based on the Circuit Breaker implementation, the net volume calculation and reset seems to occur in the storage mapping: HydraDX-node/pallets/circuit-breaker/src/lib.rs
#[pallet::getter(fn allowed_trade_volume_limit_per_asset)] pub type AllowedTradeVolumeLimitPerAsset<T: Config> = StorageMap<_, Blake2_128Concat, T::AssetId, TradeVolumeLimit<T>>;
Specifically, reliance on this block-by-block mapping enables splitting attacks: HydraDX-node/pallets/circuit-breaker/src/lib.rs
With trades crossing block boundaries able to reset tracking and bypass thresholds.
Manual Review
Adding persistence could strengthen volume accountability.
Potential solutions could involve modifying the struct like
struct VolumeTracker { current_net_volume: Balance window_net_volume: Balance window_limit: Balance }
Adding a persistent tracking accumulator.
Invalid Validation
0xRobocop marked the issue as duplicate of #108
0xRobocop marked the issue as insufficient quality report
OpenCoreCH marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-02-hydradx/blob/603187123a20e0cb8a7ea85c6a6d718429caad8d/HydraDX-node/pallets/circuit-breaker/src/lib.rs#L44-L46 https://github.com/code-423n4/2024-02-hydradx/blob/603187123a20e0cb8a7ea85c6a6d718429caad8d/HydraDX-node/pallets/circuit-breaker/src/lib.rs#L245-L247
Vulnerability details
Summary
Block-Scoped Volume Counters Risk Constraint Bypass The Circuit Breaker tallies trade volumes on a per-block basis to enforce trade limits. However this narrow scope enables constraint bypass by splitting volumes across block boundaries.
The problem manifests in the net volume data structure: HydraDX-node/pallets/circuit-breaker/src/lib.rs
Aggregating just the current block activity leaves gaps between rounds:
Attackers could exploit by:
Swapping 1000 A => 1500 B in Block X
Swapping 1500 B => 1000 A in Block X+1
Totals 2000 A traded bypassing 500 A ceiling.
Impact
Enables sustained extraction violating volume constraints until detection. Erodes sustainability protections.
Proof of Concept
Based on the Circuit Breaker implementation, the net volume calculation and reset seems to occur in the storage mapping: HydraDX-node/pallets/circuit-breaker/src/lib.rs
Specifically, reliance on this block-by-block mapping enables splitting attacks: HydraDX-node/pallets/circuit-breaker/src/lib.rs
With trades crossing block boundaries able to reset tracking and bypass thresholds.
Tools Used
Manual Review
Recommended Mitigation Steps
Adding persistence could strengthen volume accountability.
Solution
Potential solutions could involve modifying the struct like
Adding a persistent tracking accumulator.
Assessed type
Invalid Validation