search

code-423n4 / 2024-04-renzo-validation

2 stars 2 forks source link

Price Manipulation and Min Delay Vulnerabilities #160

Closed c4-bot-9 closed 5 months ago

c4-bot-9 commented 5 months ago

Lines of code

https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/TimelockController.sol#L234 https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/TimelockController.sol#L402

Vulnerability details

Impact

These vulnerabilities pose a high risk to the integrity of TVL calculations and pricing within the protocol. Malicious actors could exploit these vulnerabilities to manipulate prices, leading to inaccurate TVL reporting, loss of user funds, and damage to the protocol's reputation.

Proof of Concept

Price Manipulation in Schedule Functions Code Vulnerabilities

function schedule( address target, uint256 value, bytes calldata data, bytes32 predecessor, bytes32 salt, uint256 delay ) public virtual onlyRole(PROPOSER_ROLE) { bytes32 id = hashOperation(target, value, data, predecessor, salt); _schedule(id, delay); emit CallScheduled(id, 0, target, value, data, predecessor, delay); if (salt != bytes32(0)) { emit CallSalt(id, salt); } }

Min Delay for Price Changes function updateDelay(uint256 newDelay) external virtual { require(msg.sender == address(this), "TimelockController: caller must be timelock"); emit MinDelayChange(_minDelay, newDelay); _minDelay = newDelay; }

Impact Assessment The vulnerabilities identified in the code can lead to:

Manipulation of prices affecting TVL calculations. Frequent execution of operations affecting prices due to reduced timelock delays. Inaccurate TVL reporting and potential loss of user funds.

Proof of Vulnerability Price Manipulation Proof: Using a test environment or scripts, schedule operations with manipulated value parameters to observe changes in TVL calculations. Min Delay Vulnerability Proof: Modify the newDelay parameter in the updateDelay function to a shorter duration, schedule operations affecting prices frequently, and observe the impact on TVL calculations and protocol behavior.

Tools Used

Manual code review, Security analysis tools

Recommended Mitigation Steps

  1. Implement robust input validation for price-related parameters in schedule and scheduleBatch functions to prevent price manipulation.
  2. Review and set appropriate minimum delay times in the updateDelay function to prevent rapid execution of operations affecting prices.
  3. Integrate with reliable price oracles and implement price sanity checks to validate prices before affecting TVL calculations.
  4. Conduct regular security audits and testing to identify and mitigate vulnerabilities in the codebase.
  5. Educate developers and auditors about secure coding practices and potential vulnerabilities related to TVL calculations and pricing.

Assessed type

Other

raymondfam commented 5 months ago

@howlbot reject

raymondfam commented 5 months ago

Inadequate and insufficient proof.