search

code-423n4 / 2024-06-badger-validation

0 stars 0 forks source link

A user could sandwich the oracle update by opening and closing `cdp` to gain profits #154

Closed c4-bot-10 closed 3 months ago

c4-bot-10 commented 3 months ago

Lines of code

https://github.com/code-423n4/2024-06-badger/blob/9173558ee1ac8a78a7ae0a39b97b50ff0dd9e0f8/ebtc-zap-router/src/EbtcLeverageZapRouter.sol#L34-L44 https://github.com/code-423n4/2024-06-badger/blob/9173558ee1ac8a78a7ae0a39b97b50ff0dd9e0f8/ebtc-zap-router/src/EbtcLeverageZapRouter.sol#L255-L261

Vulnerability details

Impact

The system appears to function as a leveraged trading mechanism for STETH/EBTC, specifically designed for long positions. This is achieved through the use of Lending and Flashloan functionalities. Additionally, the system utilizes an oracle to track the BTC/stETH price, which plays a crucial role in its operations. Under certain market conditions, such as high volatility, a user could sandwich the oracle's action to update price by strategically opening and closing collateralized debt positions (CDPs) if they find it profitable. This could potentially lead to significant financial gains for the user at the expense of the system's integrity.

Proof of Concept

The system depends on the spot price provided by the BTC/stETH oracle. Essentially, the system functions as a leveraged trading mechanism for STETH/eBTC, primarily for long positions, utilizing Lending and Flashloan services. Upon depositing stETH, the system, guided by the oracle price, determines the amount of eBTC that can be minted for the user.

In scenarios where there are significant fluctuations in the stETH/eBTC spot price, a user could potentially make profits from system. By carefully timing the opening and closing of CDPs, they could sandwich the oracle, thereby taking advantage of temporary price disparities to cover all associated fees and secure a profit.

Tools Used

Manual

Recommended Mitigation Steps

To prevent the exploitation of the system through the aforementioned method, it is recommended to disallow the opencdp and closecdp operations within the same block. This measure would reduce the likelihood of users being able to sandwich the oracle and take advantage of fleeting price discrepancies.

Assessed type

Oracle

jes16jupyter commented 2 months ago

Hi @alex-ppg Thank you for reviewing my submission. I would like to appeal the decision to mark it as invalid.

In scenarios where there are significant fluctuations in the stETH/eBTC spot price, a user could potentially make profits from the system by carefully timing the opening and closing of CDPs. They could sandwich the oracle, taking advantage of temporary price disparities to cover all associated fees and secure a profit.

Because the system functions as a leveraged trading mechanism for STETH/eBTC, primarily for long positions, if it is subject to sandwich attacks, the potential for exploitation increases significantly.

Given the potential for significant financial gains at the expense of the system’s integrity, I believe this finding should be reconsidered and classified appropriately.

Thanks~

alex-ppg commented 2 months ago

Hey @jes16jupyter, thank you for your PJQA contribution. I will preface this by saying that all validation repository findings unless deemed satisfactory are only reviewed by the validators and not the judge.

I am not sure how this vulnerability applies to the router. If it applies to the CDP system, it is out-of-scope. I do not see any oracle being integrated by the routers, and the way the vulnerability is described seems to me like natural arbitrage inherent with any oracle-based CDP protocol.