Open hats-bug-reporter[bot] opened 1 year ago
Thanks for your input. This is the famous donation attack that Cream finance suffered, and we have already considered this attack in previous discussions and audits. You are correct that you can inflate the price of the beefy token, but if you try to make that attack profitable, you will find that it is impossible. This is because Cream finance allowed the yearn vault tokens to be borrowed, and that allowed the attacker to decrease the total shares while still keeping the same number of yearn tokens as collateral. Because our protocol does not allow these vault tokens to be borrowed, under the situation you have described, the donated tokens are irrevocably lost in the vault, and the vault tokens are truly worth what the oracles report, as the rewards that you donated will be distributed among the vault token holders. You can also check the many protocols that use yearn or beefy vault tokens as collateral successfully in the past, as long as they don't allow borrowing. If you are able to find any profitable attack, please follow up.
See the below proof: If you can't borrow your original yearn out, you can't decrease the total shares. Then, the most you can increase the value of your collateral for a given x donation to the yearn contract is: assume you have y shares and z underlying in the yearn vault. The current price per share is z/y. Through a donation of x, you can make the price per share (z+x)/y. This means the ratio of your gain in collateral (gain in price per share) to the amount you put in (x) can never exceed 1 This means such an attack can never repay the original amount needed to donate to the yearn vault contract, x
Because our protocol does not allow these vault tokens to be borrowed
Am I understand this correctly?
the directly borrow is not allowed but the vault LP token can still be served as collateral to borrow other asset?
if the borrowed asset is profitable than the donated LP, the attack is considered profitable, this depends on the price and worth of the borrowed asset as well
the vault LP token can still be served as collateral, the user can inflate the share price to over-value the collateral and avoid liquidation
Yes, it can be used as collateral to borrow other assets. What you described is not an attack: when you donate the tokens to the vault, the tokens are ACTUALLY worth that much, since your donation are distributed to the vault holders. There is no vulnerability. Please check the existing protocols that use vault tokens, like alchemix, inverse, etc
Github username: @ArnieGod Submission hash (on-chain): 0xf21da3201ed464018015333ab083f8a3c1c3f328c14cd331409aa4889f02d55a Severity: high severity
Description:
Vulnerability Report
Description
see this function,
note the beefy oracle
the beefy oracle is dervied from beefyVault.getPricePerFullShare()
I would like to make the claim:
Beefy oracle pricePerFullShare can be inflated and manipulated by maliciously donation of the underlying token (with coded proof))
let us pick an example and live pool and manipulate the getPricePerFullShare() in a live pool
we can go to this page
https://app.beefy.com/vault/velodrome-wsteth-op
and we can acquire the beefy vault address
https://optimistic.etherscan.io/address/0x4a6F75A5A996F16D467e3452DC9ED4BFFcB4DD4b
we are calling getPricePerFululShare() in this vault
https://optimistic.etherscan.io/address/0x4a6F75A5A996F16D467e3452DC9ED4BFFcB4DD4b#code#F1#L85
what is balance()?
https://optimistic.etherscan.io/address/0x4a6F75A5A996F16D467e3452DC9ED4BFFcB4DD4b#code#F1#L67
note the funciton call:
in this case, it is the lp token for wstETH / OP
https://optimistic.etherscan.io/address/0x3905870e647c97cb9c8d99db24384f480531b5b9
ok, so if we can get a large amoutn of lp token of wstETH / OP and transfer the LP token direclty to the beefy vault, the want().balanceOf(address(this)) is inflated,
user can first acquire flashloan to purchase a large amount of OP and wstETH token, then add liquidity via velodmore router to wstETH / OP pool to get the lp token
and the pricePerFullShare is inflated, then the oracle of the beefy vault is no longer reliable and can over-value the collateral worth
then user overborrow to drain the lending pool of the vmex finance
impact
the oracle is very important
because this is a lending pool, the oracle is used to fairly evaluated the worth of asset and collateral,
if a user can manipulate the oracle price, they can inflate the collateral worth and over-borrow to drain the fund, the attack vector that is straight forward but a dire consqeuence.
coded POC
the full runnable POC repo is in:
https://github.com/JeffCX/2023-06-vmex-coded-poc/tree/main/test
the POC shows how to inflate the pricePerFullShare
we need to run the forge test to manipulate the price in a live pool
the output is