search

hats-finance / VMEX-0x050183b53cf62bcd6c2a932632f8156953fd146f

LP token lending protocol
MIT License
2 stars 1 forks source link

`getBeefyPrice` of VMEXOracle.sol is vulnerable to flashLoan attack #26

Open hats-bug-reporter[bot] opened 1 year ago

hats-bug-reporter[bot] commented 1 year ago

Github username: -- Submission hash (on-chain): 0x1205903146dbf337279ca88ecf2e6533a7b9946e73a842e27275b5d32355276a Severity: high severity

Description:

Summary

The getBeefyPrice() function in the VMEXOracle.sol is vulnerable to a flash loan attack due to the calculation based on the total supply of LP tokens in the Beefy vault.

Impact

This vulnerability exposes the system to potential price manipulation and inaccurate price calculations for LP tokens. It could lead to financial losses for users relying on the calculated price.

Description

Description The getBeefyPrice() function in the provided code is vulnerable to a flash loan attack that can manipulate the calculation of the LP token price. This vulnerability arises due to the reliance on the getPricePerFullShare() method, which uses the total supply of LP tokens to calculate the price. By artificially manipulating the total supply, an attacker can influence the calculated price and potentially exploit the system.

Following is the Function of getPricePerFullShare from beefy vault

function getPricePerFullShare() public view returns (uint256) {
    return totalSupply() == 0 ? 1e18 : balance() * 1e18 / totalSupply();
}
Nabeel-javaid commented 1 year ago

A potential flash loan attack scenario and see how an attacker could manipulate the totalSupply value to influence the calculated price in the getPricePerFullShare() function.

Initial State:

totalSupply = 1,000,000 LP tokens balance = 1,000 ETH (or equivalent value of underlying assets) Flash Loan Execution:

The attacker initiates a flash loan to borrow a large amount of LP tokens, let's say 1,000,000 tokens. The flash loan is executed in a single transaction. Manipulation:

The attacker artificially inflates the totalSupply value by adding the borrowed tokens to the existing supply. Now, the updated totalSupply becomes 2,000,000 tokens. Calculation in getPricePerFullShare():

After the manipulation, the getPricePerFullShare() function is called. The calculation becomes: balance 1e18 / totalSupply = 1,000 ETH 1e18 / 2,000,000 = 500 ETH per share. Profit:

The attacker exploits the manipulated price of 500 ETH per share and performs various actions within the system, such as selling tokens or performing arbitrage. Loan Repayment:

At the end of the transaction, the attacker repays the flash loan along with any associated fees, ensuring that the total borrowed amount is returned.

Nabeel-javaid commented 1 year ago

From this issue #41 you can see the POC