An Attacker can manipulate the IBTRate on PrincpleToken Contract resulting bad PTRate

[c4-bot-3]

Lines of code

https://github.com/code-423n4/2024-02-spectra/blob/383202d0b84985122fe1ba53cfbbb68f18ba3986/src/tokens/PrincipalToken.sol#L912-L916

Vulnerability details

Impact

An attacker can decrease PTRate drastically and cause users loss of funds

Proof of Concept

ibtRate is being calculated relying on previewRedeem() of the Vault.

Let's say we have C Vault and it has a big amount of asset deposited, this amount will affect ibtRate as expected on PT contract initialize which is expected, however an attacker can front-run this initialize and deposit a huge amount in C Vault.

Since ibtRate calculated as high rate it It could become bigger than ptRate = RayMath.RAY_UNIT (ptRate = 1e17), ptRate is set fixed as 1e27 but ibtRate is dynamic and it's value calcualted according to C vaualt assets amount.

What could happen? Bob waits for other users to deposit then he redeem his big deposit from C vault then makes a small deposit into PT contract, _getCurrentPTandIBTRates will be called, the currentIBTRate will be calculated according to previewRedeem() but it will be small value since Bob redeemed his big deposit from C vault, since currentIBTRate will be smaller than ibtRate this block will be executed L912-L916

            ? ptRate.mulDiv(
                currentIBTRate,
                ibtRate,
                roundUpPTRate ? Math.Rounding.Ceil : Math.Rounding.Floor
            )

because currentIBTRate < ibtRate will be true, and ptRate will be calculated and decreases to very low value unfortunatly.

Attack Scenario:

1. Bob will make big deposit in C Vault and front-running PT contract initialize.
2. PT contract initialized and ibtRate is very high rate.
3. Bob will wait for other users to deposit
4. Redeem his big deposit from C Vault
5. Deposit in PT contract small amount of assets just to update the rate.
6. PTRate will be too low.
7. Users try to redeem their assets but PTRate is very low and affected their redeemed amount causing loss of funds.

Tools Used

Manual Review

Recommended Mitigation Steps

If ibtRate is higher than ptRate revert. We know that there's a rate inflation or a suggestion ptRate should equal always to ibtRate on initialize.

Assessed type

Other

[c4-pre-sort]

gzeon-c4 marked the issue as sufficient quality report

[c4-pre-sort]

gzeon-c4 marked the issue as primary issue

[c4-pre-sort]

gzeon-c4 marked the issue as insufficient quality report

[gzeon-c4]

it will be small value since Bob redeemed his big deposit from C vault

don't see how this works, ibtrate should still be the same after the vault redeem

[c4-sponsor]

yanisepfl (sponsor) disputed

[yanisepfl]

IBT 4626 vaults that have such a volatile rate upon deposits/redeems are out-of-scope. Users are held responsible for the investment strategy they put their funds into and need to carefully check the IBTs before depositing in it. This will be clearly specified in our UI. Moreover, if there was such a vault, then it is intended that the associated PTs' worth in asset decrease (just like the IBTs' worth in asset). The difference is that in case the IBTs' rate goes up again, the PTs' rate would not go up as well, but instead the positive yield accumulates for the YTs holder. Hence, all is intended and we dispute the validity of this issue.

[c4-judge]

JustDravee marked the issue as unsatisfactory: Invalid