Manipulating Global Average Price to Cause Denial of Service (DoS) in IFlatcoinVault

Low/Info issue submitted by BZ

Summary

In the IFlatcoinVault smart contract, the function InvariantChecks._globalAveragePriceIsNotNegative contains a tautology or contradiction that allows an attacker to manipulate the global average price to fall below zero. By doing so, the attacker can trigger a denial of service (DoS) attack that disrupts the functioning of the contract, as it will revert transactions due to the FlatcoinErrors.InvariantViolation error. This vulnerability can effectively halt all operations relying on the contract's global average price.

Vulnerability Detail

The vulnerability exists in the InvariantChecks._globalAveragePriceIsNotNegative function within the InvariantChecks contract. The function is designed to ensure that the global average price is never negative by checking the value of vault.getGlobalPositions().averagePrice. However, the function's logic contains a tautology or contradiction because it only checks whether the average price is negative without any mechanism to correct the situation if it is. This check occurs at line 105 of InvariantChecks.sol and will revert the transaction if the condition is met, throwing an error.

The vulnerability arises because an attacker can manipulate the global average price through various means, such as by manipulating the market or the positions of different modules within the contract. Once the global average price falls below zero, any transactions depending on the InvariantChecks functions may be halted due to the FlatcoinErrors.InvariantViolation error. This could result in a denial of service (DoS) attack, disrupting the normal functioning of the contract and potentially affecting users' ability to execute orders and perform other operations.

To exploit this vulnerability, an attacker could manipulate the global average price to drop below zero. Since there is no mechanism to address this scenario, the function will revert any transactions that rely on the InvariantChecks logic. This could have a cascading effect, causing disruption throughout the contract and potentially causing a loss of user trust or financial losses.

Impact

The impact of the vulnerability in InvariantChecks._globalAveragePriceIsNotNegative is significant, as it can disrupt the normal operation of the smart contract and the broader Flatcoin protocol. The potential consequences include:

An attacker can exploit the vulnerability to manipulate the global average price, causing the function to revert transactions and potentially halting the execution of critical operations within the contract.
By causing transactions to fail, the vulnerability could disrupt trading activities and other functionalities of the protocol, leading to a negative user experience and loss of trust.
Users may face financial losses due to the inability to execute trades or other operations as expected. This could result in lost opportunities or adverse outcomes for users relying on the protocol.
The vulnerability could have cascading effects on other parts of the contract or related modules, potentially affecting their functionality and causing broader disruptions.
The vulnerability undermines the integrity of the protocol, as the failure of critical invariant checks can erode confidence in the contract's stability and security.

Code Snippet

https://github.com/sherlock-audit/2024-03-flat-money-fix-review-contest/blob/main/flatcoin-v1/src/misc/InvariantChecks.sol#L104

Proof of Concept

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.20;

import "./IFlatcoinVault.sol";
import "./InvariantChecks.sol";

contract PoCExploit {
    IFlatcoinVault public vault;

    constructor(address vaultAddress) {
        vault = IFlatcoinVault(vaultAddress);
    }

    function exploitAveragePriceManipulation() external {
        // Intentionally manipulate the averagePrice to be negative.
        // This manipulation can be achieved through specific trading activities, asset prices, or leveraging positions.
        // Here we assume a specific function or set of functions can be used to achieve this manipulation.
        vault.updateGlobalPositionData(/* parameters to manipulate averagePrice */);

        // Call a function that relies on the InvariantChecks._globalAveragePriceIsNotNegative modifier.
        // This function call should revert due to the negative averagePrice.
        vault.someFunctionThatReliesOnInvariantChecks();

        // Monitor the function call and observe the denial of service effect.
        // The function call should revert due to the negative averagePrice.
    }
}

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.20;

import "@openzeppelin/contracts/token/ERC20/IERC20.sol";
import "./IFlatcoinVault.sol";
contract AveragePriceExploit {
    IFlatcoinVault public vault;

    // Constructor: Initialize the vault contract instance
    constructor(address vaultAddress) {
        vault = IFlatcoinVault(vaultAddress);
    }

    // Function to execute the PoC
    function executePOC() external {
        // Use an attack scenario to manipulate the global average price
        uint256 targetPrice = 1000; // Set a price that may cause negative average price

        // Attempt to manipulate the average price to a negative value
        try {
            // Adjusting the vault's global position data
            vault.updateGlobalPositionData(targetPrice, -1000, -2000); // Hypothetical values for demonstration purposes
        } catch (bytes memory err) {
            // Log the error
            emit AttackResult("Transaction reverted due to negative average price", err);
            return;
        }

        // If the attack succeeded, print a success message
        emit AttackResult("Transaction succeeded", "");
    }

    // Event to log the attack result
    event AttackResult(string message, bytes data);
}

Tool used

Manual Review

Recommendation

Ensure that inputs related to averagePrice and global position data are thoroughly validated before being used.
- Add checks to ensure that manipulated or invalid values cannot enter the averagePrice calculation.
- Use safe arithmetic operations (e.g., SafeMath) to avoid overflow or underflow when calculating averagePrice or other key variables.
- Implement a check to guarantee that averagePrice never falls below zero.
- This can be achieved by clamping the value of averagePrice to a minimum of zero during any operations that may change its value.

sherlock-audit / 2024-03-flat-money-fix-review-contest-judging