-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Malicious actor can inflate share price and DOS power farm immediately after deployment #125
Comments
GalloDaSballo marked the issue as sufficient quality report |
GalloDaSballo marked the issue as duplicate of #88 |
GalloDaSballo marked the issue as high quality report |
trust1995 marked the issue as satisfactory |
trust1995 marked the issue as not a duplicate |
trust1995 marked the issue as duplicate of #271 |
trust1995 marked the issue as selected for report |
trust1995 changed the severity to 2 (Med Risk) |
trust1995 marked the issue as duplicate of #123 |
trust1995 changed the severity to 3 (High Risk) |
trust1995 marked the issue as not selected for report |
@trust1995 The primary and this one are both written by me. I'd like to ask for this one to get grouped under #271, as it was initially. |
The groupings are in line with the root cause of each group and will remain as such. |
Lines of code
https://github.com/code-423n4/2024-02-wise-lending/blob/main/contracts/PowerFarms/PendlePowerFarmController/PendlePowerFarmToken.sol#L502-L524
https://github.com/code-423n4/2024-02-wise-lending/blob/main/contracts/PowerFarms/PendlePowerFarmController/PendlePowerFarmController.sol#L224-L229
https://github.com/code-423n4/2024-02-wise-lending/blob/main/contracts/PowerFarms/PendlePowerFarmController/PendlePowerFarmTokenFactory.sol#L35-L109
https://github.com/code-423n4/2024-02-wise-lending/blob/main/contracts/PowerFarms/PendlePowerFarmController/PendlePowerFarmToken.sol#L81-L130
Vulnerability details
Impact
A malicious actor can DOS a Pendle farm vault immediately after it has been deployed by depositing a small amount of wei through
PendlePowerFarmToken::addCompoundRewards()
. Once performed, the governance won't be able to re-deploy at a different address due to a different issue where the salt used forcreate2
depends on the underlying Pendle market's address and would result in the same affected address being generated.Proof of Concept
The governance (master) holds the authority to deploy power farms for particular Pendle markets whenever necessary. This is made possible through the
PendlePowerFarmController::addPendleMarket()
function.Here's the part of it we're interested in:
This will call into
PendlePowerFarmTokenFactory
and deploy a new instance ofPendlePowerFarmToken
using the minimal proxy pattern.And here's the last piece of the puzzle before the farm is ready,
PendlePowerFarmToken::initialize()
:As we can see, nowhere in the process do we provide an initial asset supply for the newly created power farm.
The power farm uses the following algorithm for calculating the share price (from
PendlePowerFarmToken
):An attacker could call
PendlePowerFarmToken::addCompoundRewards()
and deflate the share price. This would cause a DOS because of the following code:Bumping
_sharePriceNow
through the donation without any underlying assets will cause a long-term DOS on the vault. Afterward, the governance won't be able to re-deploy a power farm for the same Pendle market because the salt is hard-coded insidePendlePowerFarmTokenFactory::_clone()
.Here's what the exploit path would look like:
PendlePowerFarmToken::addCompoundRewards()
syncSupply
become DOSed untilmaximum
is again greater than_sharePriceNow
.create2
would yield the same address. So, this Pendle market is essentially rendered unusable in the context of this protocol.Coded POC (
PendlePowerFarmControllerBase.t.sol
):Logs from the
depositExactAmount()
call:Tools Used
Manual Review
Recommended Mitigation Steps
Make the salt user supplied in
addPendleMarket()
and add a mechanism to remove the affected market fromPendlePowerFarmController::activePendleMarkets[]
.Add an initial supply of the underlying asset with each deployment. This will make the attack harder to pull off. The risk will still be there but potential denial of services through it will be much shorter in duration and unprofitable for the attacker. You can also refer to the following article to get a better idea of the vault inflation attack and case studies on how it's tackled in other protocols: https://blog.openzeppelin.com/a-novel-defense-against-erc4626-inflation-attacks
Assessed type
DoS
The text was updated successfully, but these errors were encountered: