The absence of a mechanism or pause/un-pause to recover funds from the pool in the event of an issue poses a significant risk to user funds

hats-finance / Common--Stableswap-0xd4d9a2772202ce33b24901d3fc94e95a84b37430

Apache License 2.0

0 stars 0 forks source link

The absence of a mechanism or pause/un-pause to recover funds from the pool in the event of an issue poses a significant risk to user funds #34

Open hats-bug-reporter[bot] opened 1 month ago

hats-bug-reporter[bot] commented 1 month ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0x16754701b8930964eddc5d97184565ab7696b1a15d4705720dc86c3ff05a0bf5 Severity: low

Description: Description\

Each pool does not have any fund recover functions if the pool undergo attack such as flashloan, oracle manipulation and any other DEFI pool related attacks.

The pool would suffer permanent loss and user funds gets affected.

The other issue we adde here, pause/un-pause function which will help stop the fund outflow till the issue is mitigated.

Though the system would look like centralised one, but having the multisig based fund recover mechanisms would alleviate this problem.

Revised Code File (Optional)

Pools can have function to recover the funds which is controlled by the owner.

JanKuczma commented 1 month ago

Thank you for your submission.

Your submission does not describe the PoC of any specific attack/vulnerability but it's rather a security recommendation in general which, as you mentioned, has its trade-offs.

aktech297 commented 1 month ago

Thank you for your submission.

Your submission does not describe the PoC of any specific attack/vulnerability but it's rather a security recommendation in general which, as you mentioned, has its trade-offs.

Most of the pool based DEFI protocol maintain such mechanisms to safeguard the funds. Pause and un-pause the deposit and withdrawal for some period till the issue is resolved.

Hi .. its well know problem that most of the pool related DEFI protocol faces. As we mentioned, there are more attack vectors such as oracle manipulation or flash loan.

We would provide here some of the real world examples.

https://www.immunebytes.com/blog/list-of-oracle-manipulation-exploits-hacks-in-crypto/

https://github.com/calvwang9/oracle-manipulation -- this has the POC example.

The impact is high. since it is well known issue, we thought to provide as low without poc.

JanKuczma commented 1 month ago

https://github.com/calvwang9/oracle-manipulation -- this has the POC example.

Out of scope.
This PoC doesn't apply here since the StablePool does not use price oracles (prices from other AMMs or other chains).