search

code-423n4 / 2024-04-gondi-findings

0 stars 0 forks source link

In Pool.sol, disabled slippage protection in reallocate flow putting undeployed funds at risk #2

Closed c4-bot-8 closed 7 months ago

c4-bot-8 commented 7 months ago

Lines of code

https://github.com/code-423n4/2024-04-gondi/blob/b9863d73c08fcdd2337dc80a8b5e0917e18b036c/src/lib/pools/Pool.sol#L411 https://github.com/code-423n4/2024-04-gondi/blob/b9863d73c08fcdd2337dc80a8b5e0917e18b036c/src/lib/pools/Pool.sol#L600

Vulnerability details

Impact

In Pool.sol, disabled slippage protection in reallocate flow putting undeployed funds at risk

Proof of Concept

In Pool.sol, when LidoEthBaseInterestAllocator.sol is set as getBaseInterestAllocator, slippage protection is disabled in multiple reallocate flows.

When the pool doesn't have enough capital, reallocation is needed to move funds from getBaseInterestAllocator to the pool through IBaseInterestAllocator(getBaseInterestAllocator).reallocate(), which takes in three parameters including bool _force, a toggle for slippage protection in LidoEthBaseInterestAllocator.sol.

When bool _force is hard-coded to be true, slippage is turned off and allows any weth amount to be transferred to the pool without reverting. This might cause undeployed funds in allocator to be exploited in curve pool swap and resulting a loss.

See below instances where _force is set to true: (1) 

//src/lib/pools/Pool.sol
    function validateOffer(bytes calldata _offer, uint256 _protocolFee) external override onlyAcceptedCallers {
...
        } else if (principalAmount > currentBalance) {
            IBaseInterestAllocator(getBaseInterestAllocator).reallocate(
|>                currentBalance, principalAmount - currentBalance, true
            );
        }
...

(https://github.com/code-423n4/2024-04-gondi/blob/b9863d73c08fcdd2337dc80a8b5e0917e18b036c/src/lib/pools/Pool.sol#L411)

(2)

//src/lib/pools/Pool.sol
    function _reallocateOnWithdrawal(uint256 _withdrawn) private {
...
|>        IBaseInterestAllocator(getBaseInterestAllocator).reallocate(currentBalance, _withdrawn + targetIdle, true);
...

(https://github.com/code-423n4/2024-04-gondi/blob/b9863d73c08fcdd2337dc80a8b5e0917e18b036c/src/lib/pools/Pool.sol#L600)

Tools Used

Manual

Recommended Mitigation Steps

Enable slippage protection.

Assessed type

Other

c4-judge commented 7 months ago

0xA5DF marked the issue as primary issue

0xend commented 7 months ago

These are cases where even if there's a slippage larger than expected, we want the txn to go through

c4-judge commented 7 months ago

0xA5DF changed the severity to QA (Quality Assurance)

0xA5DF commented 7 months ago

Marking as low due to sponsor's comment

0xA5DF commented 7 months ago

Moving credit to #82

c4-judge commented 7 months ago

0xA5DF marked the issue as grade-c