Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PositionActionPendle exits pendle without slippage protection #32

Closed
howlbot-integration bot opened this issue Oct 19, 2024 · 1 comment
Closed

PositionActionPendle exits pendle without slippage protection #32

howlbot-integration bot opened this issue Oct 19, 2024 · 1 comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-10 🤖_41_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality

Comments

@howlbot-integration
Copy link

Lines of code

https://github.com/code-423n4/2024-10-loopfi/blob/d219f0132005b00a68f505edc22b34f9a8b49766/src/proxy/PositionActionPendle.sol#L64-L74

Vulnerability details

Proof of Concept

PositionActionPendle exits pendle without slippage protection which will leave functions dependent on the _onWithdraw hook vulnerable to sandwich attacks.

The hardcoded PoolActionParams in _onWithdraw hardcodes the minimum amount out to 0, meaning any amount received from pendle interaction is accepted without any issues.

        if (dst != collateralToken && dst != address(0)) {
            PoolActionParams memory poolActionParams = PoolActionParams({
                protocol: Protocol.PENDLE,        
>>>             minOut: 0,                 
                recipient: address(this),      
                args: abi.encode(
                    collateralToken,          
                    collateralWithdrawn,       
                    dst                        
                )
            });

These params are passed on to exit in PoolAction.sol

    function exit(PoolActionParams memory poolActionParams) public returns (uint256 retAmount) {
        if (poolActionParams.protocol == Protocol.BALANCER) {
            retAmount = _balancerExit(poolActionParams);
>>>     } else if (poolActionParams.protocol == Protocol.PENDLE) {
            retAmount = _pendleExit(poolActionParams);
        } else revert PoolAction__exit_unsupportedProtocol();
    }

Which is the called when redeeming while exiting pendle.

    function _pendleExit(PoolActionParams memory poolActionParams) internal returns (uint256 retAmount) {
        (address market, uint256 netLpIn, address tokenOut) = abi.decode(
            poolActionParams.args,
            (address, uint256, address)
        );

//...

>>>     return SY.redeem(poolActionParams.recipient, netSyToRedeem, tokenOut, poolActionParams.minOut, true);
    }

Since the contracts are deployed on Ethereum, which is notorious for MEV bots and frontrunning, malicious users can monitor transactions that rely on _onWithdraw hook to gain unfair advantages and disrupt protocol operations for their own benefit.

Recommended Mitigation Steps

Recommend allowing the minOut to be specified, or hardcoding a more conventional amount, e.g 95% or using a setter function that allows the owner set the value.

Assessed type

MEV
@howlbot-integration howlbot-integration bot added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value 🤖_41_group AI based duplicate group recommendation bug Something isn't working duplicate-10 sufficient quality report This report is of sufficient quality labels Oct 19, 2024
howlbot-integration bot added a commit that referenced this issue Oct 19, 2024
@howlbot-integration
ZanyBonzy issue #32
93ac300
@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Nov 11, 2024
@c4-judge
Copy link

koolexcrypto marked the issue as satisfactory

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-10 🤖_41_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@c4-judge