search

code-423n4 / 2024-02-spectra-findings

4 stars 2 forks source link

Relying on `balanceOf` can lead to Price Manupulation Attack #259

Closed c4-bot-6 closed 7 months ago

c4-bot-6 commented 8 months ago

Lines of code

https://github.com/code-423n4/2024-02-spectra/blob/main/src/tokens/PrincipalToken.sol#L499 https://github.com/code-423n4/2024-02-spectra/blob/main/src/tokens/PrincipalToken.sol#L588 https://github.com/code-423n4/2024-02-spectra/blob/main/src/tokens/PrincipalToken.sol#L868 https://github.com/code-423n4/2024-02-spectra/blob/main/src/tokens/PrincipalToken.sol#L870 https://github.com/code-423n4/2024-02-spectra/blob/main/src/tokens/PrincipalToken.sol#L871 https://github.com/code-423n4/2024-02-spectra/blob/main/src/tokens/YieldToken.sol#L121 https://github.com/code-423n4/2024-02-spectra/blob/main/src/tokens/YieldToken.sol#L124 https://github.com/code-423n4/2024-02-spectra/blob/main/src/tokens/YieldToken.sol#L128 https://github.com/code-423n4/2024-02-spectra/blob/main/src/tokens/YieldToken.sol#L129

Vulnerability details

Impact

Deriving Price, or rates between assets more generally, can be manipulated from the ratio of balance. Flash loan and donation are the well-known attack vectors used to manipulate the prices. Example code snippet: https://github.com/code-423n4/2024-02-spectra/blob/main/src/tokens/YieldToken.sol#L127

  /** @dev See {IYieldToken-actualBalanceOf} */
    function actualBalanceOf(address account) public view override returns (uint256) {
        return super.balanceOf(account);
    }

Tools Used

Manual review

Recommended Mitigation Steps

Implement internal accounting instead of relying on balanceOf.

Assessed type

Other

c4-pre-sort commented 8 months ago

gzeon-c4 marked the issue as insufficient quality report

gzeoneth commented 8 months ago

invalid

c4-judge commented 7 months ago

JustDravee marked the issue as unsatisfactory: Invalid