search

code-423n4 / 2024-02-spectra-findings

4 stars 2 forks source link

Duration Paramter in Principle token can be exploited to cause IBT Rate Maniplulation and Gas Griefing #181

Closed c4-bot-6 closed 8 months ago

c4-bot-6 commented 8 months ago

Lines of code

https://github.com/code-423n4/2024-02-spectra/blob/383202d0b84985122fe1ba53cfbbb68f18ba3986/src/tokens/PrincipalToken.sol#L132

Vulnerability details

Impact

The Spectra protocol allows users to deposit an Interest-Bearing Token (IBT) which is split into Principle Token (PT) and Yield Token (YT) pairs in a 1:1 ratio. However, the protocol lacks proper validation for the duration parameter provided during initialization. An attacker can exploit this by setting the duration parameter to zero or a very short duration, causing continuous deposit and withdrawal cycles. This can lead to instability in interest baring token rates, as the protocol mentioned clearly that "IBT rate is only updated upon user interactions with our protocol" and it also disruption of PT and YT supply equilibrium, and enable gas-griefing or denial-of-service attacks.

Proof of Concept

The vulnerable code segment can be found in the initialize function of the Spectra protocol. By setting the duration parameter to zero or a very short duration, an attacker can trigger rapid deposit and withdrawal cycles. solidity function initialize( address _ibt, uint256 _duration, address _initialAuthority ) external initializer { if (_ibt == address(0) || _initialAuthority == address(0)) { revert AddressError(); } if (IERC4626(_ibt).totalAssets() == 0) { revert RateError(); } _asset = IERC4626(_ibt).asset(); duration = _duration; expiry = _duration + block.timestamp; string memory _ibtSymbol = IERC4626(_ibt).symbol();

Attack scenario

The Attacker deploys the principle token and initializes the contracts by setting the duration to zero or very short period, now the attacker begins a series of rapid deposit and withdrawal cycles. They deposit IBT tokens into the protocol, receive PT and YT pairs, and immediately withdraw them. By doing so attacker maniputes IBT rates and also causing disruption of Pt and Yt supply. The continuous deposit and withdrawal cycles initiated by the attacker result in significant gas costs for legitimate users. This gas-griefing behavior can disrupt normal protocol operations and lead to denial-of-service attacks against the Spectra protocol.

Tools Used

Manual review

Recommended Mitigation Steps

Ensure that the duration parameter is set to a reasonable value, preventing immediate expiration. Implement rate-limiting mechanisms or cooldown periods to prevent rapid deposit and withdrawal cycles

Assessed type

DoS

c4-pre-sort commented 8 months ago

gzeon-c4 marked the issue as insufficient quality report

gzeon-c4 commented 8 months ago

admin abuse

c4-judge commented 8 months ago

JustDravee marked the issue as unsatisfactory: Invalid