-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
An attacker can lock any PendlePowerFarmToken with a donation using addCompoundRewards #88
Comments
GalloDaSballo marked the issue as primary issue |
GalloDaSballo marked the issue as high quality report |
Yes true but its not a high since you can always withdraw and we can redeploy a new one everytime. So no user funds at risk or funds lost or blocked. Downgraded imo. Still a reason to introduce a role for compound adding and a solid medium imo |
@GalloDaSballo please mark this as |
Seems only deposits can be locked, which is similar to admin calling |
POC also shows only depositExactAmount calls, but not other functions at risk. |
Have asked Staff to reach out! |
trust1995 marked issue #123 as primary and marked this issue as a duplicate of 123 |
trust1995 marked the issue as satisfactory |
Lines of code
https://github.com/code-423n4/2024-02-wise-lending/blob/1240a22a3bbffc13d5f8ae6300ef45de5edc7c19/contracts/PowerFarms/PendlePowerFarmController/PendlePowerFarmToken.sol#L114-L130
Vulnerability details
Summary
An attacker can inflate a share price using donation with
addCompoundRewards
. It will lead to reverts insyncSupply
modifier effectively locking thePendlePowerFarmToken
Vulnerability Details
_validateSharePriceGrowth
reverts if the share price grew too fastaddCompoundRewards
, increasingtotalLpAssetsToDistribute
https://github.com/code-423n4/2024-02-wise-lending/blob/1240a22a3bbffc13d5f8ae6300ef45de5edc7c19/contracts/PowerFarms/PendlePowerFarmController/PendlePowerFarmToken.sol#L502-L524
syncSupply
modifier calls the PendlePowerFarmToken._syncSupply
, which moves thetotalLpAssetsToDistribute
tounderlyingLpAssetsCurrent
, thereby increasing the share price.https://github.com/code-423n4/2024-02-wise-lending/blob/1240a22a3bbffc13d5f8ae6300ef45de5edc7c19/contracts/PowerFarms/PendlePowerFarmController/PendlePowerFarmToken.sol#L334-L345
_validateSharePriceGrowth
, leading to a revert.https://github.com/code-423n4/2024-02-wise-lending/blob/1240a22a3bbffc13d5f8ae6300ef45de5edc7c19/contracts/PowerFarms/PendlePowerFarmController/PendlePowerFarmToken.sol#L81-L96
manualSync
will revert because they use thesyncSupply
modifier.exchangeRewardsForCompoundingWithIncentive
and PendlePowerFarmController.exchangeLpFeesForPendleWithIncentive
(which calls PendlePowerFarmController.syncSupply
=> PendlePowerFarmController._syncSupply
=> PendlePowerFarmToken.manualSync
).It's cheapest to perform this attack on a new pool or a pool with very low deposits. However, it can also be done on larger pools, but the cost of the attack will be higher.
Steps for the attack:
addCompoundRewards
underlyingLpAssetsCurrent
*RESTRICTION_FACTOR
.underlyingLpAssetsCurrent
*RESTRICTION_FACTOR
/ 365.syncSupply
is called once a day), they would need to donate 7x more.7*24
x more.additionalAssets
to be large enough that the share price becomes too high.Impact
manualSync
will revert because they use thesyncSupply
modifier.exchangeRewardsForCompoundingWithIncentive
and PendlePowerFarmController.exchangeLpFeesForPendleWithIncentive
, as well aslockPendle
,withdrawLock
.addPendleMarket
does not allow adding the same market again.Proof of Concept
contracts/PowerFarms/PendlePowerFarmController/Donate.t.sol
forge test -f https://mainnet.infura.io/v3/YOUR_KEY -vvv --mc Donate --mt testOne
Tools Used
Manual review
Recommended Mitigation Steps
addCompoundRewards
.RESTRICTION_FACTOR
in case of an emergency.Assessed type
Oracle
The text was updated successfully, but these errors were encountered: