Closed sherlock-admin closed 1 year ago
The price of the vault or rewards are not directly impacted by the price of a yearn vault.
Escalate for 10 USDC A few things I wanted to mention about this :
currentPrice
would be changed in case of price manipulation in yearn vault, this would in fact change the priceDiff
and thus the nominator
. The value of denominator
will remain the same as of the lastPrices
when the price was not manipulated. This will in fact change the value of rewardPerLockedToken
.exchangeRate
from yearn provider also changes the returned value of balanceUnderlying
which might affect the accounting of the protocol in case of attack as balanceUnderlying
in Vaults directly call balanceUnderlying
of the providers(in this case yearn provider), because this directly affects savedTotalUnderlying
value in the vault.Escalate for 10 USDC A few things I wanted to mention about this :
- In the above function the value of
currentPrice
would be changed in case of price manipulation in yearn vault, this would in fact change thepriceDiff
and thus thenominator
. The value ofdenominator
will remain the same as of thelastPrices
when the price was not manipulated. This will in fact change the value ofrewardPerLockedToken
.- The value of
exchangeRate
from yearn provider also changes the returned value ofbalanceUnderlying
which might affect the accounting of the protocol in case of attack asbalanceUnderlying
in Vaults directly callbalanceUnderlying
of the providers(in this case yearn provider), because this directly affectssavedTotalUnderlying
value in the vault.- The above attacks, might change the accounting of the protocol and the rewards distributed, I haven't written an exploit/POC to prove the same but reading the code, it seems like the accounting would definitely be disturbed in case of such flash-loan exploit.
You've created a valid escalation for 10 USDC!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Escalation rejected
This is not a valid issue. Comment from lead Watson:
the manipulation of yearn vault is done via donation and is feasible only if there is leverage > 1 wrt it achieved via some other protocol. Here it is not the case.
Escalation rejected
This is not a valid issue. Comment from lead Watson:
the manipulation of yearn vault is done via donation and is feasible only if there is leverage > 1 wrt it achieved via some other protocol. Here it is not the case.
This issue's escalations have been rejected!
Watsons who escalated this issue will have their escalation amount deducted from their next payout.
psy4n0n
high
YearnProtocol’s pricePerShare can return wrong exchangeRate by the use of flash-loans
Summary
YearnProtocol’s
pricePerShare
can be manipulated by directly depositing into the underlying pool which can significantly manipulate the price. This has been previously exploited using flash loan to exploit CREAM Finance (https://github.com/yearn/yearn-security/blob/master/disclosures/2021-10-27.md)Vulnerability Detail
The value of
pricePerShare
can be significantly increased, the value is calculated usingtotalAssets / totalSupply
. Here the totalAssets can be increased by directly depositing into the vault., hence the value ofpricePerShare
can be increased.This will directly affect the functions
exchangeRate
(for the provider) andprice
(in Vault.sol), which will now return wrong price.This can then affect the
rewardPerLockedToken
mapping due to the value ofnominator
being significantly larger.Impact
This might lead to fund loss depending on the liquidity present in the vault as the price will return different value than it should.
Code Snippet
https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/Providers/YearnProvider.sol#L103
Tool used
Manual Review
Recommendation
Here are a few comments/recommendation that can be taken in consideration: