search

code-423n4 / 2024-02-spectra-findings

4 stars 2 forks source link

Flashloan Re-entrancy Attack #45

Closed c4-bot-6 closed 8 months ago

c4-bot-6 commented 8 months ago

Lines of code

https://github.com/code-423n4/2024-02-spectra/blob/383202d0b84985122fe1ba53cfbbb68f18ba3986/src/tokens/PrincipalToken.sol#L609-L631

Vulnerability details

Impact

Discounted shares can be minted during a flashloan callback re-entrancy which can drain the protocol.

Proof of Concept

During a flashloan, the ibt is transferred out before the flashloan callback, which decreases the totalAssets of the PrincipalToken vault:

    function totalAssets() public view override returns (uint256) {
        return IERC4626(ibt).previewRedeem(IERC4626(ibt).balanceOf(address(this)));
    }

With a lower totalAssets, the attacker can deposit a lower amount of assets to get the same amount of shares. This essentially drains the protocol because when the assets are redeposited after the flashloan is returned, those shares can be redeemed for a larger amount of assets.

Tools Used

Manuel review

Recommended Mitigation Steps

Add a non-reentrant modifier to external functions in PrincipalToken.sol

Assessed type

Reentrancy

c4-pre-sort commented 8 months ago

gzeon-c4 marked the issue as primary issue

c4-pre-sort commented 8 months ago

gzeon-c4 marked the issue as sufficient quality report

c4-pre-sort commented 8 months ago

gzeon-c4 marked the issue as insufficient quality report

gzeon-c4 commented 8 months ago

totalAssets not used to calculate deposit

c4-judge commented 8 months ago

JustDravee marked the issue as unsatisfactory: Invalid