search

sherlock-audit / 2024-03-arrakis-judging

2 stars 2 forks source link

kennedy1030 - A malicious rebalance executor can illegally siphon off assets through the rebalancing process. #56

Closed sherlock-admin3 closed 4 months ago

sherlock-admin3 commented 4 months ago

kennedy1030

high

A malicious rebalance executor can illegally siphon off assets through the rebalancing process.

Summary

A malicious vault rebalance executor can illegally siphon off assets by calling the ValantisHOTModule::swap function and providing a malicious swap router contract parameter, during the rebalancing process.

Vulnerability Detail

Let's consider the following scenario:

  1. The malicious executor of a public vault invokes the ArrakisStandardManager::rebalance function. This will then trigger the execution of certain module functions. The executor can specifically call the ValantisHOTModule::swap function by appropriately setting the payloads_ parameter.
376         (bool success,) = address(module).call(payloads_[i]);
  1. Within the ValantisHOTModule::swap function, there is a swap operation facilitated by the router_ parameter. The malicious executor sets this router_ parameter to a malicious contract, instead of the legitimate RouterSwapExecutor. This allows the executor to illegally siphon off some of the token0 or token1 assets through the malicious router_ contract.
376         (bool success,) = router_.call(payload_);

The rebalancing procedure includes two safeguards - a maxDeviation check on the asset price, and a maxSlippagePIPS check on the total asset value of the pool. However, within the ValantisHOTModule::swap function, the token withdrawal and deposit operations do not alter the _ammState. As a result, the price remains unchanged, allowing the maxDeviation check to be easily satisfied.

Exploiting these blind spots in the rebalancing controls, a malicious executor can illicitly siphon off assets from the pool, up to maxSlippagePIPS of the total asset value of the pool. This vulnerability poses a serious risk to the security and integrity of the pool's funds.

Impact

A malicious rebalance executor can illegally siphon off assets through the rebalancing process.

Code Snippet

https://github.com/sherlock-audit/2024-03-arrakis/blob/main/arrakis-modular/src/ArrakisStandardManager.sol#L322-L421

https://github.com/sherlock-audit/2024-03-arrakis/blob/main/arrakis-modular/src/abstracts/ValantisHOTModule.sol#L326-L416

Tool used

Manual Review

Recommendation

The ValantisHOTModule::swap function should include a validation check to ensure the router_ parameter is set to the legitimate RouterSwapExecutor contract.

Duplicate of #20

kennedy1030 commented 3 months ago

Escalate

This issue should be considered a valid one like the other issues related to the potential for a malicious rebalancing attack. All of these issues are based on the malicious router contract.

sherlock-admin3 commented 3 months ago

Escalate

This issue should be considered a valid one like the other issues related to the potential for a malicious rebalancing attack. All of these issues are based on the malicious router contract.

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

0xjuaan commented 3 months ago

Should be duped with #20 and #53

All 3 have the same attack path.

WangSecurity commented 3 months ago

Agree with the escalation, planning to accept it and duplicate with #20.

WangSecurity commented 3 months ago

Result: High Duplicate of #20

sherlock-admin2 commented 3 months ago

Escalations have been resolved successfully!

Escalation status:

WangSecurity commented 3 months ago

Based on discussions under #20 and #53 planning to reject the escalation and invalidate the issue as it was initially.