Open hats-bug-reporter[bot] opened 1 year ago
Please provide a POC, or step-by-step details on the exact attack vector, or else your submission will be invalidated.
Please provide a POC, or step-by-step details on the exact attack vector, or else your submission will be invalidated.
hi, I'm from the VMEX team, do you have a tg or discord where we can discuss this further?
Let's perform a detailed dry run to illustrate how an attacker could exploit the vulnerability in the calc_balancer_lp_price() function through a flash loan attack.
Initial State:
totalSupply: 1,000,000 LP tokens balances: [500,000 tokens for asset A, 500,000 tokens for asset B] weights: [50%, 50%] pxA: Price of asset A pxB: Price of asset B Flash Loan Execution:
The attacker initiates a flash loan to borrow a significant amount of funds within a single transaction. Manipulation:
The attacker manipulates the totalSupply value of the Balancer pool by inflating or deflating it. Let's assume the attacker inflates the totalSupply to 2,000,000 LP tokens. Calculation in calc_balancer_lp_price():
The function calculates the LP token price based on the manipulated totalSupply. The calculation becomes:
fairResA = (balances[0] * 1e18 / 10 ** (tokens[0].decimals())) * weights[0]
fairResB = (balances[1] * 1e18 / 10 ** (tokens[1].decimals())) * weights[1]
LP price = (fairResA * pxA + fairResB * pxB) / totalSupply
Inaccurate Price:
Due to the manipulated totalSupply value of 2,000,000, the calculated LP token price will be distorted and not reflect the true value. This can provide an advantage to the attacker. Exploitation:
The attacker can exploit the distorted LP token price to perform various actions within the system, such as buying or selling tokens at favorable prices, performing arbitrage, or manipulating the prices of other assets. Loan Repayment:
At the end of the transaction, the attacker repays the flash loan along with any associated fees, ensuring that the total borrowed amount is returned. In this scenario, the attacker successfully exploits the vulnerability by manipulating the totalSupply value within a flash loan transaction. This manipulation leads to distorted price calculations, which the attacker can exploit for their benefit within the system.
Github username: -- Submission hash (on-chain): 0x9c6393997b37156e1f2ecf52e5b916801272b56e8f5e9a1d6a893f2573bcd040 Severity: high severity
Description:
Summary
The
getBeethovenPrice()
function in theVMEXOracle.sol
relies on theget_lp_price
function ofBalancerOracle.sol
to calculate the LP token price. However, there is a potential security vulnerability related to the manipulation of the pool's totalSupply value, which can lead to inaccurate price calculations.Description
The vulnerability arises from the dependence on the
totalSupply
value within thecalc_balancer_lp_price
function. By manipulating thetotalSupply
of the pool using flashLoan, an attacker could potentially distort the fair reserves used in the LP token price calculation. Thecalc_balancer_lp_price
function is returning the Price by dividing it withtotalSupply
which will be inflated in the case of FlashLoan so the Price will not be original and it is being used inget_lp_price
function which is then being used inVMEXOracle.sol
to get price which will be wrongRecommendation
To address this vulnerability and protect against supply manipulation attacks, consider using TWAP price