Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Users Can Contribute To An Auction Without Directly Committing Collateral Tokens #188

Open
code423n4 opened this issue Nov 30, 2021 · 1 comment
Open

Users Can Contribute To An Auction Without Directly Committing Collateral Tokens #188

code423n4 opened this issue Nov 30, 2021 · 1 comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

Handle

leastwood

Vulnerability details

Impact

purchaseArbitrageTokens enables users to commit collateral tokens and in return receive arbitrage tokens which are redeemable in the future for Malt tokens. Each auction specifies a commitment cap which when reached, prevents users from participating in the auction. However, realCommitment can be ignored by directly sending the LiquidityExtension contract collateral tokens and subsequently calling purchaseArbitrageTokens.

Proof of Concept

Consider the following scenario:

  • An auction is currently active.
  • A user sends collateral tokens to the LiquidityExtension contract.
  • The same user calls purchaseArbitrageTokens with amount 0.
  • The purchaseAndBurn call returns a positive purchased amount which is subsequently used in auction calculations.

As a result, a user could effectively influence the average malt price used throughout the Auction contract.

https://github.com/code-423n4/2021-11-malt/blob/main/src/contracts/Auction.sol#L177-L214
https://github.com/code-423n4/2021-11-malt/blob/main/src/contracts/LiquidityExtension.sol#L117-L128

Tools Used

Manual code review.

Recommended Mitigation Steps

Consider adding a check to ensure that realCommitment != 0 in purchaseArbitrageTokens.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Nov 30, 2021
code423n4 added a commit that referenced this issue Nov 30, 2021
@code423n4
leastwood issue #188
3f9ed38
@0xScotch 0xScotch added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Dec 8, 2021
@GalloDaSballo
Copy link
Collaborator

The warden has identified a way to side-step the cap on commitments.
Because the commitments are used for calculating limits, but maltPurchased is used to calculate rewards, an exploiter can effectively use an auction to purchase as many arbitrage tokens as they desire.

Using any amount greater than zero will eventually allow to end the auction, however, by using 0 this process can be repeated continuously.

Agree with the finding and severity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@GalloDaSballo @0xScotch @code423n4