Closed c4-bot-10 closed 3 months ago
Hi @alex-ppg Thank you for reviewing my submission. I would like to appeal the decision to mark it as invalid.
In scenarios where there are significant fluctuations in the stETH/eBTC spot price, a user could potentially make profits from the system by carefully timing the opening and closing of CDPs. They could sandwich the oracle, taking advantage of temporary price disparities to cover all associated fees and secure a profit.
Because the system functions as a leveraged trading mechanism for STETH/eBTC, primarily for long positions, if it is subject to sandwich attacks, the potential for exploitation increases significantly.
Given the potential for significant financial gains at the expense of the system’s integrity, I believe this finding should be reconsidered and classified appropriately.
Thanks~
Hey @jes16jupyter, thank you for your PJQA contribution. I will preface this by saying that all validation repository findings unless deemed satisfactory are only reviewed by the validators and not the judge.
I am not sure how this vulnerability applies to the router. If it applies to the CDP system, it is out-of-scope. I do not see any oracle being integrated by the routers, and the way the vulnerability is described seems to me like natural arbitrage inherent with any oracle-based CDP protocol.
Lines of code
https://github.com/code-423n4/2024-06-badger/blob/9173558ee1ac8a78a7ae0a39b97b50ff0dd9e0f8/ebtc-zap-router/src/EbtcLeverageZapRouter.sol#L34-L44 https://github.com/code-423n4/2024-06-badger/blob/9173558ee1ac8a78a7ae0a39b97b50ff0dd9e0f8/ebtc-zap-router/src/EbtcLeverageZapRouter.sol#L255-L261
Vulnerability details
Impact
The system appears to function as a leveraged trading mechanism for STETH/EBTC, specifically designed for long positions. This is achieved through the use of Lending and Flashloan functionalities. Additionally, the system utilizes an oracle to track the BTC/stETH price, which plays a crucial role in its operations. Under certain market conditions, such as high volatility, a user could sandwich the oracle's action to update price by strategically opening and closing collateralized debt positions (CDPs) if they find it profitable. This could potentially lead to significant financial gains for the user at the expense of the system's integrity.
Proof of Concept
The system depends on the spot price provided by the
BTC/stETH
oracle. Essentially, the system functions as a leveraged trading mechanism for STETH/eBTC, primarily for long positions, utilizing Lending and Flashloan services. Upon depositingstETH
, the system, guided by the oracle price, determines the amount of eBTC that can be minted for the user.In scenarios where there are significant fluctuations in the stETH/eBTC spot price, a user could potentially make profits from system. By carefully timing the opening and closing of CDPs, they could sandwich the oracle, thereby taking advantage of temporary price disparities to cover all associated fees and secure a profit.
Tools Used
Manual
Recommended Mitigation Steps
To prevent the exploitation of the system through the aforementioned method, it is recommended to disallow the
opencdp
andclosecdp
operations within the same block. This measure would reduce the likelihood of users being able to sandwich the oracle and take advantage of fleeting price discrepancies.Assessed type
Oracle