Malicious users can perform an inflation attack against the LSTAdapter to steal the assets of the victim.
Vulnerability Detail
A malicious user can perform a donation to execute a classic first depositor/ERC4626 inflation Attack against the LSTAdapter.(For simplicity, we only consider StEtherAdapter below). The general process of this attack is well-known, and a detailed explanation of this attack can be found in many of the resources such as the following:
In short, to kick-start the attack, the malicious user will often usually mint the smallest possible amount of shares (e.g., 1 wei) and then donate significant assets to the vault to inflate the number of assets per share. Subsequently, it will cause a rounding error when other users deposit.
However, in Napier, OZ's ERC4626 implementation is used, which has various safeguards in place to mitigate this attack: Virtual Shares and Decimals Offset.
It consists of two parts:
Use an offset between the "precision" of the representation of shares and assets. Said otherwise, we use more decimal places to represent the shares than the underlying token does to represent the assets.
Include virtual shares and virtual assets in the exchange rate computation. These virtual assets enforce the conversion rate when the vault is empty.
However, as OZ's _decimalsOffset is set to 0 by default, and current BaseLSTAdapter does not override the function, there is actually no offset:
Although virtual shares and virtual assets could enforce the conversion rate when the vault is empty, such attack could be done by mint x share -> burn x-1 share.
function totalAssets() public view override returns (uint256) {
uint256 stEthBalance = STETH.balanceOf(address(this));
return withdrawalQueueEth + bufferEth + stEthBalance;
}
Part 1 - Malicious user mint 1 mint of share
Part 2 - Donate or transfer assets to the vault to inflate the assets per share
Impact
Malicous users could steal the assets of the victim.
LTDingZhen
medium
ERC4626 Vault Inflation Attack
Summary
Malicious users can perform an inflation attack against the
LSTAdapter
to steal the assets of the victim.Vulnerability Detail
A malicious user can perform a donation to execute a classic first depositor/ERC4626 inflation Attack against the
LSTAdapter
.(For simplicity, we only considerStEtherAdapter
below). The general process of this attack is well-known, and a detailed explanation of this attack can be found in many of the resources such as the following:In short, to kick-start the attack, the malicious user will often usually mint the smallest possible amount of shares (e.g., 1 wei) and then donate significant assets to the vault to inflate the number of assets per share. Subsequently, it will cause a rounding error when other users deposit.
However, in Napier, OZ's ERC4626 implementation is used, which has various safeguards in place to mitigate this attack: Virtual Shares and Decimals Offset.
It consists of two parts:
However, as OZ's
_decimalsOffset
is set to0
by default, and currentBaseLSTAdapter
does not override the function, there is actually no offset:Although virtual shares and virtual assets could enforce the conversion rate when the vault is empty, such attack could be done by mint x share -> burn x-1 share.
Part 1 - Malicious user mint 1 mint of share
Part 2 - Donate or transfer assets to the vault to inflate the assets per share
Impact
Malicous users could steal the assets of the victim.
Code Snippet
https://github.com/OpenZeppelin/openzeppelin-contracts/blob/8b4b7b8d041c62a84e2c23d7f6e1f0d9e0fc1f20/contracts/token/ERC20/extensions/ERC4626.sol
https://github.com/sherlock-audit/2024-01-napier/blob/6313f34110b0d12677b389f0ecb3197038211e12/napier-v1/src/adapters/BaseLSTAdapter.sol#L71
Tool used
Manual Review
Recommendation
A MIN_LIQUIDITY amount of shares needs to exist within the vault to guard against a common inflation attack.
Or, just use a
_decimalsOffset > 0
to forbid the attack.Duplicate of #94