Skip to content

Latest commit

 

History

History
59 lines (40 loc) · 2.44 KB

056.md

File metadata and controls

59 lines (40 loc) · 2.44 KB

Short Fleece Nightingale

High

Users will receive incorrect balance information due to uncollected fees, affecting decision-making

Summary:

The balances function in the Strategy contract does not return accurate amounts unless collectFees is called right before it. This can lead to users receiving incorrect balance information, which may affect their decision-making and interactions with the protocol.

Root Cause:

The balances function in Strategy is designed to only return accurate amounts if collectFees has been called immediately before it. This design choice can lead to incorrect balance reporting if collectFees is not called.

Internal Pre Conditions:

  • The balances function in Strategy is called without collectFees being called immediately beforehand.
  • The contract's logic assumes that collectFees is called before balances.

External Pre Conditions:

  • Users or external systems rely on the balances function to make decisions or perform actions.
  • The collectFees function is not called consistently before checking balances.

Attack Path:

  • An attacker or user calls the balances function without first calling collectFees.
  • The balances function returns an inaccurate amount, leading to incorrect decision-making.
  • The attacker or user could exploit this misinformation to perform actions based on incorrect data, potentially leading to financial losses or other adverse outcomes. Impact:

Users and external systems may make decisions based on incorrect balance information, leading to potential financial losses or other adverse outcomes.

The trust in the protocol's reporting mechanisms could be compromised, affecting user confidence and usage.

PoC:

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

import "./Strategy.sol";

contract IncorrectBalanceAttack {
    Strategy public strategy;

    constructor(address _strategy) {
        strategy = Strategy(_strategy);
    }

    function exploit() public {
        // Call balances without calling collectFees first
        (uint256 bal0, uint256 bal1) = strategy.balances();
        // Use the incorrect balance information to make decisions
        // For example, assume the attacker uses this to make a deposit or withdrawal
        // based on the incorrect balances
    }
}

In this PoC, the IncorrectBalanceAttack contract calls the balances function without first calling collectFees, leading to incorrect balance information being used for decision-making.