Open sherlock-admin2 opened 1 month ago
Isn't the precondition 1- since the inflation happens through accruals in each block, the attacker should not be interrupted during the process. In case of interruptions, attacker can start to work on a new pool.
extreme and the chances of it are very low to inflate share price to a profitable value?
Escalate
The attack path provided in this report leads to a low severity impact, so it should be invalidated. This attack increases the share value at a linear rate. This makes it unfeasible to inflate the share value to a significant amount (due to gas and time reasons).
On the other hand, #90, #582, #597 demonstrate how to increase the share value at an exponential rate, which allows an attacker to atomically inflate the share value to a significant amount (more than 1e19 : 1 after ~40 iterations)
Escalate
The attack path provided in this report leads to a low severity impact, so it should be invalidated. This attack increases the share value at a linear rate. This makes it unfeasible to inflate the share value to a significant amount (due to gas and time reasons).
On the other hand, #90, #582, #597 demonstrate how to increase the share value at an exponential rate, which allows an attacker to atomically inflate the share value to a significant amount (more than 1e19 : 1 after ~40 iterations)
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Escalate
The attack path provided in this report leads to a low severity impact, so it should be invalidated. This attack increases the share value at a linear rate. This makes it unfeasible to inflate the share value to a significant amount (due to gas and time reasons).
On the other hand, #90, #481, #597 demonstrate how to increase the share value at an exponential rate, which allows an attacker to atomically inflate the share value to a significant amount (more than 1e19 : 1 after ~40 iterations)
@0xjuaan, I agree with your point that this issue, along with the others grouped with it, does not provide the correct attack path to significantly inflate the share price. However, I would like to point out that issue #582 also highlights the same attack path for inflating the share price through the looping mechanism you've mentioned above in different issues. So this issue #582 should also be added in the group. Please let me know if i am wrong here. Thank you!
Thanks for going through the issue!
I agree that there is a much better way to inflate the shares without having to wait for accrual in each block. I went a bit through the code and trying to provide some additional info and my opinions here. It seems like there are two ways to inflate the shares here:
(1) Explained in this issue: In each accrual, since the interest accrued always rounds up (e.g. FixedRate), even if the accrued amount is small, the asset would increase anyways. This needs accrual in each block without interruptions and inflates the shares in a slow way.
(2) Other issues mentioned above: start by inflating the share with (1) for only one block, and then use deposit
and withdraw
functions to inflate the shares super quickly. Which I think poses a way greater threat. (I also appended a PoC for this one to make sure it works, find it below)
The only thing achieved in (1), that isn't achieved in (2) is that it also inflates borrow shares (Haven't really explored if borrow shares can also be inflated in the same manner as (2)). While (1) is slow, it can still be used to avoid paying fees to the protocol in low decimal tokens, which I think is still important.
Now, we can see that there are a couple problems with (1):
minDebt
to be set to low amount -> while this is a problem, the share inflation can still happen in situations where it is set to a high amountI think (2) is the way more dangerous attack, while minDebt
would still effect this as well, but I assume it should be still possible to pull this attack off.
Overall I leave it to the judge to decide on this, haven't gone through the other issues to discuss which ones should be in each category. But I think inflation issues should be mitigated in such protocols and there are two different issues here since there are two different mitigations (2) is definitely a High, and (1) can be a Medium.
ThePharmacist
High
Share inflation on base pools can cause heavy losses to users
Summary
Users can deposit and borrow from pools in Sentiment v2 which calculates each user's balance through an Asset and Share system. By it's nature, Assets are supposed to always grow (in case there are no bad debts), and therefore are larger in value than shares. However, malicious users can heavily inflate each share, and can cause miscalculations due to rounding errors. This would effect pools with less underlying decimal asset in a way that 1- The fee paid to the pool can br bricked easily 2- the users that deposit can lose money due to loss of precision.
Root Cause
Pool:381
, andFixedRateModel.sol:33
the accrual is always rounded up.Min Debt = from 0 to 0.05 ETH = from 0 to 50000000000000000
. While this attack is possible for allminDebts
in this range, we will consider thatMin Debt = 0
to explore the most extreme case. Consider that by increasing the amount ofMinDebt
this attack would be much less feasible.Pool.sol
, the valueinterestAccrued
is in base asset's decimals, which means for USDC/USDT, this amount would be only 6 decimals. This makes the share inflation attack way more feasible on such low decimal tokens.Internal pre-conditions
N/A
External pre-conditions
1- since the inflation happens through accruals in each block, the attacker should not be interrupted during the process. In case of interruptions, attacker can start to work on a new pool.
Attack Path
The goal of the Attacker is to inflate each share and map each 1 share to a much higher amount of Asset. Here, we consider that the attacker is not going to be interrupted during the process, and also consider
minDebt == 0
. 1- The attacker deposits 1 asset into the protocol, bringingtotalDepositAssets
andtotalDepositShares
both to 1. 2- The attacker borrows the 1 asset from the protocol, bringingtotalBorrowAssets
andtotalBorrowShares
both to 1, also setting the utilization to 100 percent. 3- attacker starts accruing with each block, after the first accrual,Pool:407
adds to the Assets, inflating them in the process.feeShares
is usually zero due to rounding down and small amounts in the process. 4- After the first accrual,totalDepositAssets
andtotalBorrowAssets
are set to 2, while the shares remain in the previous value. 5- Attacker can continue and do this for a day, after(24*3600)/12 = 7200 times
, can bring asset/share to7201
. 6- After the second day and14400
times of accrual, bringing asset/share ratio to14400
. (Attacker can get achieve bigger numbers if they continue doing this) 7- At this point, every deposit or borrow from users would be rounded down/up by 14400. A victim can deposit14400 * 2 - 1
assets and would only receive 1 share, basically sharing14400 - 1
with the rest of the pool. 8 - This would especially effect the pools with less decimal values such asUSDC
andUSDT
.Impact
interestAccrued
is small each time and protocol fees are rounded down twice, protocol lenders can use such tricks and accrue frequently to avoid paying any fees to the protocol owner.PoC
The output of the test is:
PoC:
Mitigation
minDebt
to at least 0.05 ETH. Explore how the feasibility of this attack drops with the increase ofminDebt
.interestAccrued
should be normalized to the 18 decimals even for lower asset decimals, this makes the calculations for such assets much more accurate.