Closed sherlock-admin4 closed 6 months ago
1 comment(s) were left on this issue during the judging contest.
tsvetanovv commented:
This is known issue. Check Readme.
Escalate
These are the known issues in the README.md
:
Please list any known issues/acceptable risks that should not result in a valid finding.
Contracts are not set-up for Blast network or zkSync.
Temporary LP DOS by minting/burning tokens to an LP. We've added protection to make this less effective if it's a small amount, but otherwise accept that it can be done. If it can be made permanent, cost effective, and can't be defended against with a private RPC then that would be a legitimate bug.
Blocklist token problems are understood and not a concern.
Tx failures and griefing resulting from MEV protection are known and accepted.
DOS during bootstrapping by sending 1 wei of token directly to the pair right before a user attempts to sell their whole token balance.
We are not sure which one you are alluding to, if it is:
DOS during bootstrapping by sending 1 wei of token directly to the pair right before a user attempts to sell their whole token balance.
then this is not applicable to our report. Our report does not mention a user selling their token balance nor does it mention sending 1 wei of token directly to the pair.
Therefore, this should be treated as in-scope
.
Thanks!
Escalate
These are the known issues in the
README.md
:Please list any known issues/acceptable risks that should not result in a valid finding. Contracts are not set-up for Blast network or zkSync. Temporary LP DOS by minting/burning tokens to an LP. We've added protection to make this less effective if it's a small amount, but otherwise accept that it can be done. If it can be made permanent, cost effective, and can't be defended against with a private RPC then that would be a legitimate bug. Blocklist token problems are understood and not a concern. Tx failures and griefing resulting from MEV protection are known and accepted. DOS during bootstrapping by sending 1 wei of token directly to the pair right before a user attempts to sell their whole token balance.
We are not sure which one you are alluding to, if it is:
DOS during bootstrapping by sending 1 wei of token directly to the pair right before a user attempts to sell their whole token balance.
then this is not applicable to our report. Our report does not mention a user selling their token balance nor does it mention sending 1 wei of token directly to the pair.
Therefore, this should be treated as
in-scope
.Thanks!
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
I disagree with the escalation. You can see 2. from Known issue: Temporary LP DOS by minting/burning tokens to an LP.....
Separately, such short-term DOS attacks are Low according to the Sherlock documentation. They would only be valid if used on some time-sensitive function like Auction for example.
Known issue 2 refers to the ability to lock temporarily all the tokens of a LP by minting the LP some tokens. Here is the code that does that.
I submitted and escalated an issue with this exact root cause mentioned by @bronzepickaxe . However, the impact I described in #79 is different (permanent DoS).
Planning to reject escalation and keep issue state as is, known issue.
Result: Invalid Unique
FassiSecurity
high
Malicious user can cause mint to fail
Summary
the
mint
function allows users to add liquidity to a pool, and in return, they receive liquidity tokens. It will go through several checks, 1 of which is a check to ensure that thebalancetoken
is equal totokenAmtForPresale + tokenAmtForAmm
.Vulnerability Detail
tokenAmtForPresale & tokenAmtForAmm
are both retrieved after calling_tokenAmountsForLiquidityBootstrap
As we can see, the _tokenAmountsForLiquidityBootstrap takes multiple parameters `(virtualEth, boostrapEth, initialEth, and initialTokenMatch).
Impact
We will now demonstrate how a malicious user can always cause the
if
statement to trigger, leading to an honest user being unable to provide liquidity:mint
function is calledtoken
towardsbalanceToken
mint
function will execute until it reaches the aforementionedif
statementbalanceToken
will not be the same astokenAmtForPresale + tokenAmtForAmm
.We are aware of the known issue stated in the docs:
However, they are not the same. The known issue describes a donation attack occurring when a user attempts to sell their token balance, whereas this issue describes a DOS when a user tries to provide liquidity.
Code Snippet
https://github.com/sherlock-audit/2024-03-goat-trading/blob/main/goat-trading/contracts/exchange/GoatV1Pair.sol#L138-L140
Tool used
Manual Review
Recommendation
Implement some sort of logic which prevents such an attack