-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The missing IRM parameters check in the registerPair()
function allows for the instant draining of all funds from all pairs, as the creator's revenue is accounted for before the debt is paid out.
#593
Comments
Hi @alex-ppg, I assume that the "insufficient quality report" was given due to the presence of the I agree that with this modifier in place, the issue is indeed invalid. However, during the contest, the sponsor mentioned multiple times that this modifier is only temporary. It was introduced after the hack on the Predy protocol hack, and the intention is to remove it in the future. In the Discord channel, it was even confirmed in a pinned message from the C4 Staff that it will be removed: pinned message.
It was later clarified that anyone can add pairs, but only for a limited token list: pinned message.
As the intention for this addition is to Adding a new pair within the limitations allows an attacker to drain all funds almost instantly, similar to the first Predy hack. In the issue description, it is shown that by leveraging a low-level issue (missing IMR params validation) and a medium-level issue (accounting fees ahead of time before debt is paid), an attacker can craft a critical vulnerability and drain all funds from other pairs. |
Hey @0xklapouchy, thanks for contributing to the PJQA process! First of all, this represents a validation repository finding and as such was not evaluated by me directly. I understand that the Sponsor might have changed their mind mid-contest, however, no change was reflected in the repository. As such, I cannot accept issues that rely on assumptions that have not been properly reflected on the contest page. I will surface these findings to the Sponsor in case they might find them useful, however, from a C4 perspective, the submission is ineligible for a reward. |
Hey @alex-ppg, I understand that this can't be accepted as a high-level issue. However, from my perspective, this is still a valid Medium-level issue even with the onlyOperator modifier in place. This is due to the critical nature of the outcome: funds from one pair can be stolen by other pairs, leading to invalid accounting for the entire protocol. The only difference is that the current probability is Low, as this scenario arises from the possibility of an Operator making a mistake (for example by setting the IMR param with 0 zero too much), or even without his mistake. Accounting for rewards ahead of time (as outlined in this issue and in #594) for both the protocol and the pool creator is itself a Medium-level issue. In situations where valid pairs (for example, WETH/USDC and WBTC/USDC) are created by a trusted operator, one pair can still take funds from another pair, even with correct IRM parameters. Example:
|
And yet, I feel that the removal of the onlyOperator modifier was clearly communicated to all users on the Discord channel by the C4 staff member kartoonjoy, and a pinned message with that information is still on the channel. |
Adding a new USDC/WBTC pair with a higher interest rate, alongside the existing USDC/ETH pair, and setting a high pair creator fee, indeed carries potential risks. we would like to accept this as a medium risk report. |
Hey @0xklapouchy and @syuhei176, thank you for continuing the discussion! I understand that the situation is unfortunate, however, I will have to maintain my original ruling as a matter of precedence. The validators as well as the judge have approached this contest without the additional information in mind, and it is reasonable to assume that Wardens have downloaded the repository / accessed it via the C4 portal without scouring the C4 discussions. I myself have participated in C4 contests without looking at the Discord discussions and it is not reasonable to assume all wardens will have checked Discord. As a result, any vulnerability arising from the newly shared context will remain out-of-scope in the interest of fairness. I empathize with your disagreement about this ruling @0xklapouchy, and hope you find solace in the fact that the Sponsor found your report useful! |
Lines of code
https://github.com/code-423n4/2024-05-predy/blob/2fb1e0ec7a52fc06c2e9c8e561bccba84302e4bb/src/libraries/logic/AddPairLogic.sol#L150-L153
https://github.com/code-423n4/2024-05-predy/blob/2fb1e0ec7a52fc06c2e9c8e561bccba84302e4bb/src/libraries/ApplyInterestLib.sol#L71-L72
Vulnerability details
he Predy protocol invariant is that the base rate should not exceed 100%, and the maximum possible interest rate should not surpass 1100%. However, the IRM parameters are not checked during new pair registration.
With the updated requirement that anyone can add pairs, this introduces a potential attack vector.
An attacker can duplicate any existing pair containing liquidity with a new pair that has its IRM parameters manipulated to absurd numbers. For example, the base rate could be set to 3T% (3000000000000%).
While IRM manipulation alone will not benefit the attacker, a flaw in how the creator/protocol revenue is accounted for creates an opportunity for exploitation.
If the pair creator sets the fee to the maximum amount of 20%, 10% of that fee is designated for him. The issue within the protocol is that the fee is calculated ahead of time and not during the repayment of the debt.
As a result, the attacker can trade a perpetual contract, for example, valued at 10 USD, for which he will need to pay a 3T% interest rate. His position will become instantly insolvent and non-liquidatable (as no one will repay a 100k USD debt for him).
However, the creator can directly extract 10% of that debt as his revenue from the Predy protocol, without any check that the manipulated pair has sufficient funds.
This leads to the extraction of funds from other pairs that have liquidity.
Impact
All funds can be stolen from Predy protocol.
Proof of Concept
withdrawCreatorRevenue()
function on the pair he controls.Note: The liquidation of the insolvent position is not possible because the debt to repay is 10 times larger than what the attacker wants to extract. In fact, liquidation would benefit him as he would be able to extract 10 times more than what was initially in the protocol.
PoC Tests
This test illustrates how to use extract funds:
Create
test/PoC/TestPoCIRMParams.t.sol
and runforge test --match-test testPoCIRMParamsManipulation -vvvv
.Recommended Mitigation Steps
registerPair()
function call:Assessed type
Invalid Validation
The text was updated successfully, but these errors were encountered: