Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgraded Q -> 2 from #537 [1727786902479] #557

Closed
c4-judge opened this issue Oct 1, 2024 · 4 comments
Closed

Upgraded Q -> 2 from #537 [1727786902479] #557

c4-judge opened this issue Oct 1, 2024 · 4 comments
Labels
downgraded by judge Judge downgraded the risk level of this issue duplicate-226 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax satisfactory satisfies C4 submission criteria; eligible for awards withdrawn by judge Special case: this finding was auto-generated by a judge and is now withdrawn; it can be ignored

Comments

@c4-judge
Copy link
Contributor

c4-judge commented Oct 1, 2024

Judge has assessed an item in Issue #537 as 2 risk. The relevant finding follows:

  1. Calls to balancer’s getPoolTokens should use reentrancy protection
    Links to affected code *

https://github.com/code-423n4/2024-07-loopfi/blob/57871f64bdea450c1f04c9a53dc1a78223719164/src/oracle/BalancerOracle.sol#L82

Impact
Balancer disclosed a read-only reentrancy vulnerability in the Balancer Vault. The effect of this reentrancy is that Balancer pools are susceptible to manipulation of their external queries. What this means is that integrations with balancer vaults must carefully assess the data returned from the vaults. Some protocols, were unaware of this got hacked as a result. One of the functions affected is the getPoolTokens function which is queried when BalancerOracle.sol is deployed. Via reentrancy, an attacker can force token balances and BPT supply to be out of sync, creating very inaccurate BPT prices.

constructor(

//...
(address[] memory tokens, , ) = balancerVault.getPoolTokens(poolId);
//...
Also, price updates are made quering various price calculations using pool totalSupply, normalized weights, so it is clearly vulnerable to synchronization issues between the data points.

function update() external virtual onlyRole(KEEPER_ROLE) returns (uint256 safePrice_) {
    if (block.timestamp - lastUpdate < updateWaitWindow) revert BalancerOracle__update_InUpdateWaitWindow();
    // update the safe price first
    safePrice = safePrice_ = currentPrice;
    lastUpdate = block.timestamp;

    uint256[] memory weights = IWeightedPool(pool).getNormalizedWeights();
    uint256 totalSupply = IWeightedPool(pool).totalSupply();

    uint256 totalPi = WAD;
    uint256[] memory prices = new uint256[](weights.length);
    // update balances in 18 decimals
    for (uint256 i = 0; i < weights.length; i++) {
        // reverts if the price is invalid or stale
        prices[i] = _getTokenPrice(i);
        uint256 val = wdiv(prices[i], weights[i]);
        uint256 indivPi = uint256(wpow(int256(val), int256(weights[i])));

        totalPi = wmul(totalPi, indivPi);
    }

    currentPrice = wdiv(wmul(totalPi, IWeightedPool(pool).getInvariant()), totalSupply);
}

Recommended Mitigation Steps
Recommend using the provided balancer library to protect from these manipulations.
@c4-judge c4-judge added the 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value label Oct 1, 2024
c4-judge added a commit that referenced this issue Oct 1, 2024
@c4-judge
inh3l issue #557 (File generated from upgraded finding by judge koole…
d58bef1 
…xcrypto)
@c4-judge
Copy link
Contributor Author

c4-judge commented Oct 1, 2024

koolexcrypto changed the severity to 3 (High Risk)

@c4-judge c4-judge added 3 (High Risk) Assets can be stolen/lost/compromised directly upgraded by judge Original issue severity upgraded from QA/Gas by judge and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Oct 1, 2024
@c4-judge c4-judge closed this as completed Oct 1, 2024
@c4-judge
Copy link
Contributor Author

c4-judge commented Oct 1, 2024

koolexcrypto marked the issue as duplicate of #226

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Oct 1, 2024
@c4-judge
Copy link
Contributor Author

c4-judge commented Oct 1, 2024

koolexcrypto marked the issue as satisfactory

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax withdrawn by judge Special case: this finding was auto-generated by a judge and is now withdrawn; it can be ignored and removed 3 (High Risk) Assets can be stolen/lost/compromised directly upgraded by judge Original issue severity upgraded from QA/Gas by judge labels Oct 16, 2024
@c4-judge
Copy link
Contributor Author

This auto-generated issue was withdrawn by koolexcrypto

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
downgraded by judge Judge downgraded the risk level of this issue duplicate-226 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax satisfactory satisfies C4 submission criteria; eligible for awards withdrawn by judge Special case: this finding was auto-generated by a judge and is now withdrawn; it can be ignored
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@c4-judge