search

code-423n4 / 2024-02-hydradx-findings

1 stars 0 forks source link

Adversary can block adding liquidity due to reserve check #195

Closed c4-bot-2 closed 6 months ago

c4-bot-2 commented 6 months ago

Lines of code

https://github.com/code-423n4/2024-02-hydradx/blob/main/HydraDX-node/pallets/stableswap/src/lib.rs#L1040

Vulnerability details

Impact

In stableswap pallet, there is a function add_liquidity() that, in its turn, calls do_add_liquidity() and calculate share_amount for the assets that a user has provided. But before that, it makes some vectors and pushes updated values of reserves of the assets in the pool. If some liquidity was added, this amount is added to added_amounts vector. If it's 0, just 0 is pushed. The problem is that the function will revert if the initial liquidity for one of the assets in the pool is 0.

Proof of Concept

  1. Let's say there are 3 users: creator of the pool who has provided the initial liquidity and 2 more users. And also there are 3 assets in the pool - [USDC, USDT, DAI] with corresponding amounts - [100, 50, 25].

  2. Let's say the initial liquidity for the USDC was 100, then some user2 deposited 100 more and the creator (user1) of the pool withdrew his liquidity (100 tokens). So now the liquidity is 100.

  3. Let's say some user3 wants to provide liquidity for this token or for other token in the pool. User2 can see his transaction and just front-run him constantly by adding / removing his liquidity and making the process of adding liquidity to constantly fail due to the reserve check:

https://github.com/code-423n4/2024-02-hydradx/blob/main/HydraDX-node/pallets/stableswap/src/lib.rs#L1040

ensure!(!reserve.is_zero(), Error::<T>::InvalidInitialLiquidity);

Tools Used

Manual review.

Recommended Mitigation Steps

Reserve check should be changed to avoid this front-running opportunity.

Assessed type

Other

0xRobocop commented 6 months ago

Report does not describe any type of impact to the protocol

c4-pre-sort commented 6 months ago

0xRobocop marked the issue as insufficient quality report

OpenCoreCH commented 6 months ago

No impact & it is intended that initial liquidity is provided with add_token.

c4-judge commented 6 months ago

OpenCoreCH marked the issue as unsatisfactory: Invalid

rodiontr commented 5 months ago

@OpenCoreCH Hi! It seems like this issue is another edge case for the issue described in #148. It describes the core issue and shows that there can be a situation where adding liquidity to the pool will be blocked

OpenCoreCH commented 5 months ago

Hey @rodiontr, these issues are indeed somewhat similar, although this one can be prevented even more easily (if governance calls add_token, frontrunning does not matter). But #148 is also downgraded in the meantime.