Open c4-bot-9 opened 6 months ago
This finding asserts that the rebase changes the price Other 2 reports assert that the rebase will break functionality
GalloDaSballo marked the issue as duplicate of #88
GalloDaSballo marked the issue as sufficient quality report
Seems to show a less impact than primary
trust1995 changed the severity to 3 (High Risk)
trust1995 marked the issue as partial-50
trust1995 marked the issue as satisfactory
trust1995 marked the issue as not a duplicate
trust1995 marked the issue as primary issue
trust1995 marked issue #125 as primary and marked this issue as a duplicate of 125
trust1995 marked the issue as not a duplicate
trust1995 marked the issue as primary issue
trust1995 marked the issue as selected for report
trust1995 changed the severity to 2 (Med Risk)
Since there will be many
PowerFarmTokens
deployed, there is no way team to perform the first deposit for all of them.
I think this assumption is wrong here, team deploys each token and farm by admin - one by one, and each time a new token/farm is created team can perform first deposit or necessary step, it is not a public function to create these that team cannot handle something like that or to say "there is no way to perform the first deposit for all of them" thats just blown off and far fetched.
For transparency and per conversation with the sponsors, see here for the Wise Lending team's mitigation.
Additional notes: before any farm is publicly available, admin creating farms can ensure no further supplier to the farm would experience any loss due to described far-fetched scenario in this "finding".
Lines of code
https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/PowerFarms/PendlePowerFarmController/PendlePowerFarmController.sol#L53-L111 https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/PowerFarms/PendlePowerFarmController/PendlePowerFarmToken.sol#L452-L463 https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/PowerFarms/PendlePowerFarmController/PendlePowerFarmToken.sol#L465-L476
Vulnerability details
Impact
In certain scenarios, shares of a subsequent depositor can be heavily reduced, losing a large amount of his deposited funds, the attacker can increase the right side of the
previewMintShares
by adding rewards for compounding.That way victim can lose 6e17 of his assets for a deposit of 1e18.
Proof of Concept
Let’s see how a first user, can grief a subsequent deposit and reduce his shares from the desired 1:1 ratio to 1:0000000000000005.
First, he needs to choose
PowerFarmToken
with no previous deposits.depositExactAmount
with 2 wei which will also callsyncSupply
→_updateRewards
which is a key moment of the attack, this will make it possiblePowerFarmController::exchangeRewardsForCompoundingWithIncentive
to be called when performing the donation.PowerFarmController::exchangeRewardsForCompoundingWithIncentive
→addCompoundRewards
with 999999999999999996 that will increase thetotalLpAssetsToDistribute
, which is added tounderlyingLpAssetsCurrent
in the_syncSupply
function, called from the modifier before the main functions.PendlePowerFarmController.sol#L53-L111
PendlePowerFarmToken.sol#L452-L463
Both attacker and victim have 1 share, because of the fee that is taken in the deposit function.
After victim deposit:
totalSupply: 5, underlyingLpAssetsCurrent = 2e18 - 1
PendlePowerFarmToken.sol#L465-L476
User has lost 1e18 - 0.3e18 = 0.6e18 tokens.
Tools Used
Manual Review
Recommended Mitigation Steps
Since there will be many
PowerFarmTokens
deployed, there is no way team to perform the first deposit for all of them. Possible mitigation will be to have minimum deposit amount for the first depositor in thePendlePowerToken
, which will increase the cost of the attack exponentially and there will be no enough of reward tokens making theexchangeRewardsForCompoundingWithIncentive
revert, due to insufficient amount.Or just mint proper amount of tokens in the
initialize
function.Assessed type
Other