Closed c4-bot-2 closed 3 months ago
Hi @alex-ppg,
Similar to #593, I assume this "insufficient quality report" was given solely based on the presence of the onlyOperator
modifier.
As mentioned here and here, the onlyOperator
modifier should not be considered a valid limitation, and anyone will be able to add pairs within a specific token list.
This issue is similar but not a duplicate of #593.
It showcases a situation where two medium-level issues (DoS and by that preventing liquidations through manipulating the price feed, and accounting for fees ahead of time) can be leveraged to create a high-level issue. With this issue, an attacker can definitively take advantage and steal funds from other pairs. While it would require an extended time frame (> 1 year) for the attacker to be profitable, it also demonstrates that this vulnerability cannot be prevented.
The assumption in this issue description is that the low-level issue from #593 is fixed and the IRM parameters are within the desired values, and as such this is different attack vector.
Hey @0xklapouchy, thanks for contributing to the PJQA process! First of all, this represents a validation repository finding and as such was not evaluated by me directly.
I understand that the Sponsor might have changed their mind mid-contest, however, no change was reflected in the repository. As such, I cannot accept issues that rely on assumptions that have not been properly reflected on the contest page. I will surface these findings to the Sponsor in case they might find them useful, however, from a C4 perspective, the submission is ineligible for a reward.
It is possible to register a malicious oracle and make settlements impossible. This could indeed affect existing pairs as well. As with other reports, I would like to accept this as a medium risk.
Hey @0xklapouchy and @syuhei176, thank you for continuing the discussion! I understand that the situation is unfortunate, however, I will have to maintain my original ruling as a matter of precedence.
The validators as well as the judge have approached this contest without the additional information in mind, and it is reasonable to assume that Wardens have downloaded the repository / accessed it via the C4 portal without scouring the C4 discussions. I myself have participated in C4 contests without looking at the Discord discussions and it is not reasonable to assume all wardens will have checked Discord.
As a result, any vulnerability arising from the newly shared context will remain out-of-scope in the interest of fairness. I empathize with your disagreement about this ruling @0xklapouchy, and hope you find solace in the fact that the Sponsor found your report useful!
Lines of code
https://github.com/code-423n4/2024-05-predy/blob/2fb1e0ec7a52fc06c2e9c8e561bccba84302e4bb/src/libraries/ApplyInterestLib.sol#L71-L72 https://github.com/code-423n4/2024-05-predy/blob/2fb1e0ec7a52fc06c2e9c8e561bccba84302e4bb/src/libraries/logic/AddPairLogic.sol#L181 https://github.com/code-423n4/2024-05-predy/blob/2fb1e0ec7a52fc06c2e9c8e561bccba84302e4bb/src/libraries/PositionCalculator.sol#L141-L144
Vulnerability details
The updated requirement allowing anyone to add pairs introduces a potential attack vector.
An attacker can duplicate any existing pair containing liquidity with a new pair that uses a malicious price feed. This price feed, for example, always reverts if called by anyone other than the attacker. This prevents the liquidation of insolvent positions.
While price feed manipulation alone does not benefit the attacker, a flaw in how the creator/protocol revenue is accounted for ahead of time creates an opportunity for exploitation.
If the pair creator sets the fee to the maximum amount of 20%, 10% of that fee is designated for him. The issue within the protocol is that the fee is calculated ahead of time and not during the repayment of the loan.
As a result, the attacker can trade a perpetual contract, for example, valued at 1000 USD. Assuming the IRM parameters are within the protocol's desired values (base rate of 100% and maximum interest rate of 1100%), the position can be made insolvent but non-liquidatable. Over a long period, the attacker can extract value from other pairs.
Even though the attack on the Predy protocol can take up to a year, there is no way to block it, except by asking users to remove liquidity from the protocol.
Impact
Over a long period, funds can be extracted from other pairs.
Proof of Concept
withdrawCreatorRevenue()
on the pair he controls.Note: The liquidation of the insolvent position is not possible because the call to the price feed always reverts.
If the protocol does not react by calling on all users to withdraw their liquidity, the attacker will benefit from effectively printing infinite money with an interest rate of 1100% per year on the amount he traded his perp for, for example, the 1000 USD value.
PoC Tests
This test illustrates how to use extract funds:
Create
test/PoC/TestPoCOracleDoS.t.sol
andtest/mocks/PriceFeedDoSContract.sol
, then runforge test --match-test testPoCOracleDoS -vvvv
.Recommended Mitigation Steps
Assessed type
Invalid Validation