Closed sherlock-admin3 closed 4 months ago
Escalate
This issue should be considered a valid one like the other issues related to the potential for a malicious rebalancing attack. All of these issues are based on the malicious router contract.
Escalate
This issue should be considered a valid one like the other issues related to the potential for a malicious rebalancing attack. All of these issues are based on the malicious router contract.
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Should be duped with #20 and #53
All 3 have the same attack path.
Agree with the escalation, planning to accept it and duplicate with #20.
Result: High Duplicate of #20
Based on discussions under #20 and #53 planning to reject the escalation and invalidate the issue as it was initially.
kennedy1030
high
A malicious rebalance executor can illegally siphon off assets through the rebalancing process.
Summary
A malicious vault rebalance executor can illegally siphon off assets by calling the
ValantisHOTModule::swap
function and providing a malicious swap router contract parameter, during the rebalancing process.Vulnerability Detail
Let's consider the following scenario:
ArrakisStandardManager::rebalance
function. This will then trigger the execution of certain module functions. The executor can specifically call theValantisHOTModule::swap
function by appropriately setting thepayloads_
parameter.ValantisHOTModule::swap
function, there is a swap operation facilitated by therouter_
parameter. The malicious executor sets thisrouter_
parameter to a malicious contract, instead of the legitimateRouterSwapExecutor
. This allows the executor to illegally siphon off some of thetoken0
ortoken1
assets through the maliciousrouter_
contract.The rebalancing procedure includes two safeguards - a
maxDeviation
check on the asset price, and amaxSlippagePIPS
check on the total asset value of the pool. However, within theValantisHOTModule::swap
function, the token withdrawal and deposit operations do not alter the_ammState
. As a result, the price remains unchanged, allowing themaxDeviation
check to be easily satisfied.Exploiting these blind spots in the rebalancing controls, a malicious executor can illicitly siphon off assets from the pool, up to
maxSlippagePIPS
of the total asset value of the pool. This vulnerability poses a serious risk to the security and integrity of the pool's funds.Impact
A malicious rebalance executor can illegally siphon off assets through the rebalancing process.
Code Snippet
https://github.com/sherlock-audit/2024-03-arrakis/blob/main/arrakis-modular/src/ArrakisStandardManager.sol#L322-L421
https://github.com/sherlock-audit/2024-03-arrakis/blob/main/arrakis-modular/src/abstracts/ValantisHOTModule.sol#L326-L416
Tool used
Manual Review
Recommendation
The
ValantisHOTModule::swap
function should include a validation check to ensure therouter_
parameter is set to the legitimateRouterSwapExecutor
contract.Duplicate of #20