Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ERC4626 inflation attack mitigation #3979

Merged
merged 27 commits into from
Feb 17, 2023
Merged

ERC4626 inflation attack mitigation #3979

merged 27 commits into from
Feb 17, 2023

Conversation

Amxx
Copy link
Collaborator

@Amxx Amxx commented Jan 19, 2023
edited by frangio
Loading

Fixes #3706
Fixes LIB-599
Fixes LIB-653

Use virtual shares and assets to mitigate inflation attacks. The vault adds 1:N virtual asset/shares to enforce an initial exchange rate. This solves the issue of unhealty/broken vaults. It also limits the effectiveness of inflation attacks

The N value is 10**offset, with offset being the decimal (precision) difference between the vault and the underlying token.

Technically, the offset correspond the difference (in orders of magnitude) between the funds required by the attackers and the funds being deposited by the user.

  • An offset of 0 doesn't offer protection
  • An offset of 9 makes attack very difficult, but changes the decimal value of the vault.

Note that this is a breaking change: the presence of virtual shares means the vault is likely to "capture" some value, and 1 unit (wei) to underlying asset might be unrecoverable. The test file shows that on a typical lifecyle

Analysis of the offset effect on the inflation attack

PR Checklist

  • Tests
  • Documentation
  • Changeset entry (run npx changeset add)

@frangio frangio self-requested a review January 23, 2023 15:59
@changeset-bot
Copy link

changeset-bot bot commented Jan 25, 2023
edited
Loading

🦋 Changeset detected

Latest commit: e708b4d

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
openzeppelin-solidity Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@Amxx Amxx marked this pull request as ready for review February 10, 2023 11:22
@RedVeil RedVeil mentioned this pull request Feb 13, 2023
Closed
Amxx
Amxx commented Feb 14, 2023
View reviewed changes
contracts/token/ERC20/extensions/ERC4626.sol Outdated Show resolved Hide resolved
docs/modules/ROOT/pages/erc4626.adoc Outdated Show resolved Hide resolved
frangio
frangio reviewed Feb 14, 2023
View reviewed changes
Copy link
Contributor

@frangio frangio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Solidity code looks good to me. I have to finish going through the tests and guide.

contracts/token/ERC20/extensions/ERC4626.sol Outdated Show resolved Hide resolved
contracts/token/ERC20/extensions/ERC4626.sol Outdated Show resolved Hide resolved
contracts/token/ERC20/extensions/ERC4626.sol Show resolved Hide resolved
test/token/ERC20/extensions/ERC4626.test.js Outdated Show resolved Hide resolved
docs/modules/ROOT/pages/erc4626.adoc Outdated Show resolved Hide resolved
frangio
frangio reviewed Feb 16, 2023
View reviewed changes
Copy link
Contributor

@frangio frangio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor comments but all looks good to me.

contracts/token/ERC20/extensions/ERC4626.sol Outdated Show resolved Hide resolved
docs/modules/ROOT/pages/erc4626.adoc Show resolved Hide resolved
docs/modules/ROOT/pages/erc4626.adoc Outdated Show resolved Hide resolved
@Amxx Amxx requested a review from frangio February 16, 2023 16:44
frangio
frangio approved these changes Feb 16, 2023
View reviewed changes
Copy link
Contributor

@frangio frangio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Amxx Amxx merged commit d64d7aa into OpenZeppelin:master Feb 17, 2023
@Amxx Amxx deleted the fix/erc4626/decimalsoffset branch February 17, 2023 09:08
@boringcrypto
Copy link

You're welcome 😉

@frangio
Copy link
Contributor

frangio commented Feb 17, 2023

@boringcrypto Oh, not sure if this was your point but we should probably credit YieldBox in our docs. It took us a lot of time to be convinced but that was definitely how we got to this solution (#3706 (comment)). Do you know if you were the first to propose this approach?

@frangio frangio mentioned this pull request Feb 21, 2023
Closed
@LHerskind LHerskind mentioned this pull request Feb 21, 2023
Open
9 tasks
@github-actions github-actions bot mentioned this pull request Feb 22, 2023
Closed
@Amxx Amxx mentioned this pull request Feb 22, 2023
Merged
1 task
pcaversaccio
pcaversaccio reviewed Feb 23, 2023
View reviewed changes
test/token/ERC20/extensions/ERC4626.test.js

const { tx } = await this.vault.deposit(parseToken(1), recipient, { from: holder });

await expectEvent.inTransaction(tx, this.token, 'Transfer', {
Copy link
Contributor

@pcaversaccio pcaversaccio Feb 23, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe I missed them somehow, but the tests do not include any event emission tests for Deposit and Withdraw. I would say those are the most important ones to test in this context.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍🏻

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed here: #4072

(you should work with us 😄 )

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

highly appreciate your comment and am happy it improves the overall code quality - I can't commit anything full-time currently and will keep monitoring the OZ contracts as a side project for now (but never say never 😄)

@Amxx Amxx mentioned this pull request Feb 23, 2023
Merged
1 task
@github-actions github-actions bot mentioned this pull request Mar 10, 2023
Closed
@dglowinski dglowinski mentioned this pull request Jan 17, 2024
Merged
3 tasks
@kazantseff kazantseff mentioned this pull request Mar 12, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Joeysantoro Joeysantoro Joeysantoro left review comments

@pcaversaccio pcaversaccio pcaversaccio left review comments

@frangio frangio frangio approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Implement or recommend mitigations for ERC4626 inflation attacks
5 participants
@Amxx @boringcrypto @frangio @pcaversaccio @Joeysantoro