search

code-423n4 / 2024-04-panoptic-findings

2 stars 2 forks source link

startToken is vulnerable to Frontrunning #552

Closed c4-bot-10 closed 2 months ago

c4-bot-10 commented 2 months ago

Lines of code

https://github.com/code-423n4/2024-04-panoptic/blob/main/contracts/CollateralTracker.sol#L221

Vulnerability details

Impact

The startToken function initializes critical aspects of the contract state, such as setting up whether token0 or token1 is considered the underlying token, setting up the Panoptic pool, the total supply of virtual shares, and various fees. If a malicious actor can see that a transaction is about to initialize these values, they could potentially front-run this transaction to set the initial state to their advantage or simply to prevent another user from successfully initializing the state (by causing the if (s_initialized) revert Errors.CollateralTokenAlreadyInitialized(); condition to trigger for the legitimate user).

Since startToken sets several economic parameters, a frontrunner could manipulate these initial conditions. This could include setting an advantageous fee structure or initializing the contract in a way that benefits them financially before any other users can interact under fair conditions.

Also if a malicious user front-runs a legitimate initialization, they could destabilize the intended operational logic of the contract. By causing the initialization to occur under their control, subsequent legitimate attempts to initialize would fail, leading to potential disruptions in how the contract was supposed to function, or in some cases, locking out legitimate administrative actions which rely on initial setup conditions.

Proof of Concept

Loc

https://github.com/code-423n4/2024-04-panoptic/blob/main/contracts/CollateralTracker.sol#L221

function startToken(
        bool underlyingIsToken0,
        address token0,
        address token1,
        uint24 fee,
        PanopticPool panopticPool
    ) external {
        // fails if already initialized
        if (s_initialized) revert Errors.CollateralTokenAlreadyInitialized();
        s_initialized = true;

        // these virtual shares function as a multiplier for the capital requirement to manipulate the pool price
        // e.g if the virtual shares are 10**6, then the capital requirement to manipulate the price to 10**12 is 10**18
        totalSupply = 10 ** 6;

        // set total assets to 1
        // the initial share price is defined by 1/virtualShares
        s_poolAssets = 1;

        // store the address of the underlying ERC20 token
        s_underlyingToken = underlyingIsToken0 ? token0 : token1;

        // store the Panoptic pool for this collateral token
        s_panopticPool = panopticPool;

        // cache the pool fee in basis points
        uint24 _poolFee;
        unchecked {
            _poolFee = fee / 100;
        }
        s_poolFee = _poolFee;

        // Stores the addresses of the underlying tracked tokens.
        s_univ3token0 = token0;
        s_univ3token1 = token1;

        // store whether the current collateral token is token0 (true) or token1 (false; since there's always exactly two tokens it could be)
        s_underlyingIsToken0 = underlyingIsToken0;

        // Additional risk premium charged on intrinsic value of ITM positions
        unchecked {
            s_ITMSpreadFee = uint128((ITM_SPREAD_MULTIPLIER * _poolFee) / DECIMALS);
        }
    }

Tools Used

Manual

Recommended Mitigation Steps

Use commit reveal schemes

Assessed type

Other

c4-judge commented 2 months ago

Picodes marked the issue as duplicate of #571

c4-judge commented 2 months ago

Picodes marked the issue as unsatisfactory: Invalid