Open hats-bug-reporter[bot] opened 3 months ago
Same with withdrawals
The cooldown period for very small investments is minimal. This design ensures that small, malicious deposits do not significantly impact the overall functionality and usability of the vaults.
@0xfuje
Appreciate the comment @langnavina97. The problem is that any cooldown period initiated will make the initial user's TX revert, because the attacker can front-run every deposit and withdraw to start the cooldown therefore blocking all deposits and withdrawals.
To be more specific, the exploit applies for withdrawals only, but I did make this comment before to highlight it: https://github.com/hats-finance/Velvet-Capital-0x0bb0c08fd9eeaf190064f4c66f11d18182961f77/issues/12#issuecomment-2181037021, just my initial assumption was incorrect in that it also applies for deposits
Hey @langnavina97, please let me know why did you mark this as invalid
Minting 1 wei portfolio token won't be possible, it will fail here: https://github.com/hats-finance/Velvet-Capital-0x0bb0c08fd9eeaf190064f4c66f11d18182961f77/blob/aa47c9ff85bcc2bede62978c3895668b549da125/contracts/core/calculations/VaultCalculations.sol#L33-L34
Thanks that's true, however I still think this does not solve the root of the issue since anyone can still block withdrawals as long they mint the minimum amount for the withdrawer. It can be a 10000x+ difference between the intended withdrawn amount and the amount of capital needed to block the deposit. Although I understand why you would mark it as invalid because attacker has to spend more than 1 wei of portfolio tokens
for what I understand, having a minimum amount is kinda protection, and they already decide this 'attack' vector as 'acceptable'. If some attacker want to delay the transaction, they basically need to donate at least that minimum amount. Simply, the delayed user will earn the minimum deposit, which imo, the loss will be on the attacker side in the long run.
@kakarottosama since i got the duplicate of this issue , i believe @0xfuje is right because Imagine:
In a situation, where portfolio is performing bad, imagine a whale investor is attacked, and his withdrawal txns are blocked, Dont you think his looses can skyrocket to millions of dollars.
Since, it is none of my business but as a auditor myself, i know the pain of submitting issues with blood n sweat while getting invalid
Github username: @0xfuje Twitter username: 0xfuje Submission hash (on-chain): 0x683539dba401843200192eb8ca7bd4a584fd75aa33808bc441ff41021b7102d5 Severity: high
Description:
Impact
Permanent denial of service of
Vault
s since no deposit will executeDescription
The
_depositAndMint()
function handles deposits for a givenVault
, note that any user (or if whitelist is enabled any whitelisted user) can deposit for anyone by inputting their address in_depositFor
param.There is a cooldown for each users that deposits, see:
_mintTokenAndSetCoolDown()
inside_depositAndMint()
. If the depositor's balance is zero, we will apply full cooldown in_calculateCoolDownPeriod()
.PortfolioToken.sol
-_mintTokenAndSetCoolDown()
This allows an attack path where an attacker can front-run other users initial deposit with a minimum of
1
wei mint deposit to prevent them for depositing first until full cooldown has passed. Attacker can repeat with more front-runs when the user tries to deposit again and make their tx revert.Proof of Concept
WETH
to a vault viamultiTokenDepositFor()
->_depositAndMint()
_depositFor
with a minimum deposit that mints1 wei
portfolio token1 wei
mint deposit and the users tx will revert due to the cooldown appliedRecommendation
Consider to set the cooldown for the actual depositor aka
msg.sender
, not the user who the depositor deposited to with the_depositFor
param