These vulnerabilities pose a high risk to the integrity of TVL calculations and pricing within the protocol. Malicious actors could exploit these vulnerabilities to manipulate prices, leading to inaccurate TVL reporting, loss of user funds, and damage to the protocol's reputation.
Proof of Concept
Price Manipulation in Schedule Functions
Code Vulnerabilities
Min Delay for Price Changes
function updateDelay(uint256 newDelay) external virtual {
require(msg.sender == address(this), "TimelockController: caller must be timelock");
emit MinDelayChange(_minDelay, newDelay);
_minDelay = newDelay;
}
Impact Assessment
The vulnerabilities identified in the code can lead to:
Manipulation of prices affecting TVL calculations.
Frequent execution of operations affecting prices due to reduced timelock delays.
Inaccurate TVL reporting and potential loss of user funds.
Proof of Vulnerability
Price Manipulation Proof:
Using a test environment or scripts, schedule operations with manipulated value parameters to observe changes in TVL calculations.
Min Delay Vulnerability Proof:
Modify the newDelay parameter in the updateDelay function to a shorter duration, schedule operations affecting prices frequently, and observe the impact on TVL calculations and protocol behavior.
Tools Used
Manual code review, Security analysis tools
Recommended Mitigation Steps
Implement robust input validation for price-related parameters in schedule and scheduleBatch functions to prevent price manipulation.
Review and set appropriate minimum delay times in the updateDelay function to prevent rapid execution of operations affecting prices.
Integrate with reliable price oracles and implement price sanity checks to validate prices before affecting TVL calculations.
Conduct regular security audits and testing to identify and mitigate vulnerabilities in the codebase.
Educate developers and auditors about secure coding practices and potential vulnerabilities related to TVL calculations and pricing.
Lines of code
https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/TimelockController.sol#L234 https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/TimelockController.sol#L402
Vulnerability details
Impact
These vulnerabilities pose a high risk to the integrity of TVL calculations and pricing within the protocol. Malicious actors could exploit these vulnerabilities to manipulate prices, leading to inaccurate TVL reporting, loss of user funds, and damage to the protocol's reputation.
Proof of Concept
Price Manipulation in Schedule Functions Code Vulnerabilities
function schedule( address target, uint256 value, bytes calldata data, bytes32 predecessor, bytes32 salt, uint256 delay ) public virtual onlyRole(PROPOSER_ROLE) { bytes32 id = hashOperation(target, value, data, predecessor, salt); _schedule(id, delay); emit CallScheduled(id, 0, target, value, data, predecessor, delay); if (salt != bytes32(0)) { emit CallSalt(id, salt); } }
Min Delay for Price Changes function updateDelay(uint256 newDelay) external virtual { require(msg.sender == address(this), "TimelockController: caller must be timelock"); emit MinDelayChange(_minDelay, newDelay); _minDelay = newDelay; }
Impact Assessment The vulnerabilities identified in the code can lead to:
Manipulation of prices affecting TVL calculations. Frequent execution of operations affecting prices due to reduced timelock delays. Inaccurate TVL reporting and potential loss of user funds.
Proof of Vulnerability Price Manipulation Proof: Using a test environment or scripts, schedule operations with manipulated value parameters to observe changes in TVL calculations. Min Delay Vulnerability Proof: Modify the newDelay parameter in the updateDelay function to a shorter duration, schedule operations affecting prices frequently, and observe the impact on TVL calculations and protocol behavior.
Tools Used
Manual code review, Security analysis tools
Recommended Mitigation Steps
schedule
andscheduleBatch
functions to prevent price manipulation.updateDelay
function to prevent rapid execution of operations affecting prices.Assessed type
Other