xiaoming90 - Value of vault shares can be manipulated #67
Labels
Escalation Resolved
This issue's escalations have been approved/rejected
Non-Reward
This issue will not receive a payout
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
Comments
github-actions
bot
added
Medium
mystery0x
removed
the
Duplicate
sherlock-admin4
changed the title
|
While this is valid and we will fix it, it's also not clear that this can be used as an attack vector. Vault shares cannot be shorted so manipulating the price up does not create an obvious way for an attacker to profit. |
sherlock-admin3
added
Sponsor Confirmed
|
Escalate, |
You've created a valid escalation! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
|
The report itself says that it opens up an attack vector for the future. Moreover, I don't see how this issue causes the loss of funds or qualifies for Med severity. Planning to accept the escalation and invalidate the issue. |
Maybe my understanding is incorrect. If I am wrong, please correct me. |
|
@0502lian thank you, you’re correct |
sherlock-admin2
added
Non-Reward
|
Result: |
sherlock-admin3
added
the
Escalation Resolved
|
Escalations have been resolved successfully! Escalation status:
|
sherlock-admin3
added
Won't Fix
jeffywu
added a commit
to notional-finance/leveraged-vaults
that referenced
this issue
Aug 13, 2024
jeffywu
added a commit
to notional-finance/leveraged-vaults
that referenced
this issue
Aug 13, 2024
|
The protocol team fixed this issue in the following PRs/commits: |
|
The Lead Senior Watson signed off on the fix. |
jeffywu
added a commit
to notional-finance/leveraged-vaults
that referenced
this issue
Sep 9, 2024
* fix: adding post mint and redeem hooks * test: changes to base tests * config: changes to config * feat: changes to global * feat: changes to trading * feat: changes to utils * feat: changes to single sided lp * feat: vault storage * fix: misc fixes * fix: staking vaults * fix: solidity versions * fix: test build * fix: adding staking harness * fix: adding initialization * fix: initial test bugs * fix: weETH valuation * fix: deleverage collateral check * fix: initial harness compiling * fix: initial test running * fix: acceptance tests passing * test: migrated some tests * fix: withdraw tests * test: adding deleverage test * fix: adding liquidation tests * test: withdraw request * test: finalize withdraws manual * test: tests passing * fix: single sided lp tests with vault rewarder * fix: putting rewarder tests in * fix: reward tests running * fix: vault rewarder address * fix: initial staking harness * fix: adding staking harness * fix: initial PT vault build * fix: moving ethena vault code * fix: moving etherfi code * feat: adding pendle implementations * fix: staking harness to use USDC * fix: curve v2 adapter for trading * test: basic tests passing * fix: adding secondary trading on withdraw * fix tests * fix: trading on redemption * fix: ethena vault config * fix: switch ethena vault to sell sDAI * fix warnings * fix: more liquidation tests passing * fix: ethan liquidation tests * pendle harness build * fix: initial tests passing * fix: adding pendle oracle * fix: test deal token error * fix: changing pendle liquidation discount * fix: all tests passing * fix: etherfi borrow currency * fix: adding more documentation * change mainnet fork block * properly update data seed files * fix arbitrum tests * fix test SingleSidedLP:Convex:crvUSD/[USDT] * fix: can finalize withdraws * fix: refactor withdraw valuation * fix: pendle expiration tests * fix: pendle pt valuation * remove flag * fix: remove redundant code path * fix: initial commit * fix: vault changes * fix: vault changes * fix: some tests passing * fix: fixing more tests * fix: updated remaining tests * fix: split withdraw bug * fix: new test * fix: remaining tests * fix: split withdraw reqest bug * feat: add PendlePTKelp vault * update oracle address, fix tests * Address CR comments * add test_canTriggerExtraStep * fix tests * fix: run tests * feat: adding generic vault * feat: update generate tests * fix: changes from merge * fix: adding has withdraw requests * fix: update oracle address for network * fix: merge kelp harness * fix: base tests passing * fix: move generation config * fix: initial pendle test generation * fix: mainnet tests passing * fix: vault rewarder * fix: more pendle tests * fix: pendle dex test * fix: adding camelot dex * fix: update usde pt * fix: adding camelot adapter * fix: support configurable dex * fix: adding more PT vaults * fix: approval bug * fix: update dex information * fix: mainnet tests passing * fix: update arbitrum pendle tests * fix: update deployment addresses * test: add balancer v2 batch trade * fix: add given out batch trade * fix: remove trade amount filling * fix: add some comments * fix: audit issue #60 * fix: switch to using getDecimals * fix: sherlock-audit/2024-06-leveraged-vaults-judging#73 * fix: sherlock-audit/2024-06-leveraged-vaults-judging#72 * fix: sherlock-audit/2024-06-leveraged-vaults-judging#70 * fix: sherlock-audit/2024-06-leveraged-vaults-judging#66 * test: adding pendle oracle test * fix: sherlock-audit/2024-06-leveraged-vaults-judging#69 * fix: sherlock-audit/2024-06-leveraged-vaults-judging#64 * fix: sherlock-audit/2024-06-leveraged-vaults-judging#43 * fix: audit issue #18 * fix: move slippage check * fix: add comment back * fix: sherlock-audit/2024-06-leveraged-vaults-judging#56 * test: adding test that catches math underflow * fix: adding test for vault shares * fix: sherlock-audit/2024-06-leveraged-vaults-judging#44 * fix: sherlock-audit/2024-06-leveraged-vaults-judging#6 * test: adds test to check split withdraw request value * fix: sherlock-audit/2024-06-leveraged-vaults-judging#78 * fix: sherlock-audit/2024-06-leveraged-vaults-judging#80 * fix: updating valuations for tests * fix: update run tests * fix: remove stETH withdraws from Kelp in favor of ETH withdraws * fix: update tests for pendle rs eth * fix: resolve compile issues * fix: rsETH oracle price * fix: sherlock-audit/2024-06-leveraged-vaults-judging#87 * fix: sherlock-audit/2024-06-leveraged-vaults-judging#67 * fix: sherlock-audit/2024-06-leveraged-vaults-judging#6 * test: update tests for invalid splits * fix: sherlock fix review comments * merge: merged master into branch * fix: empty reward tokens * fix: claim rewards tests * fix: liquidation tests * fixing more tests * fix: allowing unused reward pools * test: migrating reward pools * fix: rewarder test * fix: claim rewards before withdrawing * fix: deployed vault rewarder lib on arbitrum * fix: deployed new tbtc vault * docs: adding deployment documentation * fix: update config --------- Co-authored-by: sbuljac <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
xiaoming90
Medium
Value of vault shares can be manipulated
Summary
The value of vault shares can be manipulated. Inflating the value of vault shares is often the precursor of more complex attacks. Internal (Notional-side) or external protocols that integrate with the vault shares might be susceptible to potential attacks in the future that exploit this issue.
Vulnerability Detail
It was found that the value of the vault shares can be manipulated.
Instance 1 - Kelp
To increase the value of vault share, malicious can directly transfer a large number of stETH to their
KelpCooldownHoldercontract. In Line 78, the holder contract will determine the number of stETH to be withdrawn from LIDO viaIERC20(stETH).balanceOf(address(this)). This means that all the stETH tokens residing on the holder contract, including the ones that are maliciously transferred in, will be withdrawn from LIDO.https://github.com/sherlock-audit/2024-06-leveraged-vaults/blob/main/leveraged-vaults-private/contracts/vaults/staking/protocols/Kelp.sol#L78
When determining the value of vault share of a user, the
convertStrategyToUnderlyingfunction will be called, which internally calls_getValueOfWithdrawRequestfunction.The
withdrawsStatus[0].amountOfStETHat Line 126 will be inflated as the amount will include the stETH attackers maliciously transferred earlier. As a result, the vault share will be inflated.https://github.com/sherlock-audit/2024-06-leveraged-vaults/blob/main/leveraged-vaults-private/contracts/vaults/staking/protocols/Kelp.sol#L126
Instance 2 - Ethena
Etherna vault is vulnerable to similar issue due to the due of
.balanceOfat Line 37 below.Before starting the cooldown, malicious user can directly transfer in a large number of sUSDe to the
EthenaCooldownHolderholder contract.https://github.com/sherlock-audit/2024-06-leveraged-vaults/blob/main/leveraged-vaults-private/contracts/vaults/staking/protocols/Ethena.sol#L37
Thus, when code in Lines 87 and 99 are executed, the
userCooldown.underlyingAmountreturns will be large, which inflates the value of the vault shares.https://github.com/sherlock-audit/2024-06-leveraged-vaults/blob/main/leveraged-vaults-private/contracts/vaults/staking/protocols/Ethena.sol#L77
Impact
Inflating the value of vault shares is often the precursor of more complex attacks. Internal (Notional-side) or external protocols that integrate with the vault shares might be susceptible to potential attacks in the future that exploit this issue.
Code Snippet
https://github.com/sherlock-audit/2024-06-leveraged-vaults/blob/main/leveraged-vaults-private/contracts/vaults/staking/protocols/Kelp.sol#L78
https://github.com/sherlock-audit/2024-06-leveraged-vaults/blob/main/leveraged-vaults-private/contracts/vaults/staking/protocols/Kelp.sol#L126
https://github.com/sherlock-audit/2024-06-leveraged-vaults/blob/main/leveraged-vaults-private/contracts/vaults/staking/protocols/Ethena.sol#L37
https://github.com/sherlock-audit/2024-06-leveraged-vaults/blob/main/leveraged-vaults-private/contracts/vaults/staking/protocols/Ethena.sol#L77
Tool used
Manual Review
Recommendation
Instance 1 - Kelp
Consider using the before and after balances to determine the actual number of stETH obtained after the execution of
WithdrawManager.completeWithdrawalfunction to guard against potential donation attacks.function triggerExtraStep() external { require(!triggered); (/* */, /* */, /* */, uint256 userWithdrawalRequestNonce) = WithdrawManager.getUserWithdrawalRequest(stETH, address(this), 0); require(userWithdrawalRequestNonce < WithdrawManager.nextLockedNonce(stETH)); + uint256 tokenBefore = IERC20(stETH).balanceOf(address(this)); WithdrawManager.completeWithdrawal(stETH); + uint256 tokenAfter = IERC20(stETH).balanceOf(address(this)); - uint256 tokensClaimed = IERC20(stETH).balanceOf(address(this)); + uint256 tokensClaimed = tokenAfter - tokenBefore uint256[] memory amounts = new uint256[](1); amounts[0] = tokensClaimed; IERC20(stETH).approve(address(LidoWithdraw), amounts[0]); LidoWithdraw.requestWithdrawals(amounts, address(this)); triggered = true; }Instance 2 - Ethena
Pass in the actual amount of sUSDe that needs to be withdrawn instead of using the
balanceOf.The text was updated successfully, but these errors were encountered: