Open hats-bug-reporter[bot] opened 6 months ago
To make it clear, the flow would be:
cap
and currentUtilisation()
(for oUSDC)investWithToken
, from USDC -> oUSDC, fromTokenAmount
= gap amountexitToToken
, from oUSDC -> USDC, investmentTokenAmount
= gap amountexitToToken
in manager will trigger preCheck
, updating bucket to cap, fill up utilisation.Using these steps which is done in one transaction can freeze user exit due to daily cap reached
Thanks for the finding @chainNue
While there's no economic benefit, someone could do this as a DoS.
We'll consider if we remediate with:
Thanks @frontier159 for accepting this issue (and my other issue as well),
Indeed, there is no economic benefit, a short-term freezing of user funds is a medium one. If there is no mechanism to mitigate this issue, someone can easily block exit by filling up the cap, thus valid user hardly exit their asset, unless protocol intervene by increasing the cap, but that not preventing user doing the same attack again (or the cap lose its meaning)
Agree with the solution you're going to take, a cooldown and an exit fee I think is enough to mitigate this issue.
Agree with the solution you're going to take, a cooldown and an exit fee I think is enough to mitigate this issue.
To be clear i think either of those is enough, don't need both
yes, you are right, it's an OR not an AND
Another solution is to disable exits on the same block number as investments. Kind of a super short cooldown, only affecting invest-and-exit in the same transaction (flash loans).
Github username: -- Twitter username: -- Submission hash (on-chain): 0xa152e0fc679f9840949b13a8713252bd1f4f032c33244d6bff807347e639bce3 Severity: medium
Description: Description
There is a maximum daily
cap
implemented on circuitBreaker contract to prevent any abnormal ovUSDC exits by users.The
preCheck
will increment currentbucketIndex
amount, beside checking if the sum of rolling period buckets is still under the cap.The issue here is, attacker can flash-loan in order to fill-up the rolling period until it reached its cap.
By using flash-loaned USDC, then
investWithToken
oUSDC andexitToToken
in a single transaction. This flash loan can triggerpreCheck
and fill up thecap
easily.Attack Scenario
investWithToken
) with some amount of USDC from the flash-loanOrigamiInvestmentVault::investWithToken()
->OrigamiOToken::investWithToken()
->OrigamiLendingSupplyManager::investWithToken()
->OrigamiLendingClerk::deposit
, there is no fee deducted here, thus USDC -> oUSDC will be 1:1, and get shares ovUSDCOrigamiLendingSupplyManager::exitToToken()
and passing all shares, to circuit breakerpreCheck
(and save it to current index bucket), then fill it near the capThis issue can cause temporary DoS, preventing legitimate user exit ovUSDC normally due to filled cap.
Attachments
Proof of Concept (PoC) File
Revised Code File (Optional)
Recommendation
Consider implementing a preventive measure to disallow both invest and exit in the same block. This would introduce a delay or separation between these operations, reducing the risk of the flash-loan attack scenario.