You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on May 26, 2023. It is now read-only.
github-actionsbot opened this issue
Mar 1, 2023
· 0 comments
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
Vault.deposit extends to mind share, but because the function lack of slippage control and deadline check, a very sub-optimal amount of share can be minted when transaction executes.
If the user fires a transaction but there is gas spike, the user's transaction is pending in the mempool for a long time until later the gas price drops, the user's transaction is executed when the token price increases, which result in less shares.
the amount of token withdraw is derived from totalSupply() and token1 balance and token0,
suppose a user want to withdraw from the IChiVaultSpell, the user expected to withdraw 50 amount of token, but the transaction is pending for a long in the mempool
There are transaction landed before the withdraw transaction which change the value of totalSupply in the vault.
and the totalSupply() increases a lot, the amount of token withdraws is less than 50 token and the user only get 30 tokens because the math:
Without deadline check for withdraw / deposit, the pending transaction can be executed when the withdraw amount / deposit share minted amount is against user.
Without slippage check, when the withdraw amount / deposit share minted amount is against user, transaction does not revert.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
ctf_sec
medium
Lack of slippage control and deadline check when depositing into / withdraw from the IChiVaultSpell and IChiFarm integration
Summary
Lack of slippage control and deadline check when depositing into / withdraw from the vault and when performing cToken mint / redeeming
Vulnerability Detail
In IChiVaultSpell.sol, when depositInternal is called, the function below executes
note the function calls:
Vault.deposit extends to mind share, but because the function lack of slippage control and deadline check, a very sub-optimal amount of share can be minted when transaction executes.
If we use the MockVault as a reference:
https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/mock/MockIchiVault.sol#L270-L280
The minted share is heavily depend on the token price and the totalSupply
If the user fires a transaction but there is gas spike, the user's transaction is pending in the mempool for a long time until later the gas price drops, the user's transaction is executed when the token price increases, which result in less shares.
Same issue in the IChiFarm.deposit
which calls:
https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/mock/MockIchiFarm.sol#L246
If the transaction is pending for a long time, the ichiPerShare could drops a lot when the transaction lended.
Same issue exists for vault.withdraw iin IChiVaultSpell.sol
which calls:
https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/mock/MockIchiVault.sol#L320
the amount of token withdraw is derived from totalSupply() and token1 balance and token0,
suppose a user want to withdraw from the IChiVaultSpell, the user expected to withdraw 50 amount of token, but the transaction is pending for a long in the mempool
There are transaction landed before the withdraw transaction which change the value of totalSupply in the vault.
and the totalSupply() increases a lot, the amount of token withdraws is less than 50 token and the user only get 30 tokens because the math:
Same issue happens in IChiFarm withdraw:
Impact
Without deadline check for withdraw / deposit, the pending transaction can be executed when the withdraw amount / deposit share minted amount is against user.
Without slippage check, when the withdraw amount / deposit share minted amount is against user, transaction does not revert.
Code Snippet
https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/spell/IchiVaultSpell.sol#L292-L299
Tool used
Manual Review
Recommendation
We recommend add deadline check and slippage control when deposit / withdraw in vault and farm.
Duplicate of #130
The text was updated successfully, but these errors were encountered: