Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Frontrunning initial liquidity adding #500

Closed
code423n4 opened this issue Dec 19, 2022 · 3 comments
Closed

Frontrunning initial liquidity adding #500

code423n4 opened this issue Dec 19, 2022 · 3 comments
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-442 satisfactory satisfies C4 submission criteria; eligible for awards

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-12-caviar/blob/0212f9dc3b6a418803dbfacda0e340e059b8aae2/src/Pair.sol#L63-L99
https://github.com/code-423n4/2022-12-caviar/blob/0212f9dc3b6a418803dbfacda0e340e059b8aae2/src/Pair.sol#L417-L427

Vulnerability details

Impact

Creation of the pair does not add initial liquidity which leads to situation where attacker can front-run creator and execute sandwich attack against the creator.

Exploitation Scenario:

  1. Alice creates pair and wants to add liquidity
  2. Bob front-runs Alice's add liquidity and quickly adds his liquidity with 100 ETH and 1 Fractional Tokens which mints 10 LP
  3. Alice adds 100 ETH and 100 Fractional Tokens which gives 10 LP
  4. The pool is 200 ETH and 101 Fractional Tokens
  5. Bob withdraws liquidity with 10 LP gets 100 ETH and 50 Fractional Tokens
  6. Bob just made nice profit

Proof of Concept

Pair.sol:

Tools Used

Manual Review

Recommended Mitigation Steps

It is recommended to initialize pair with the liquidity provided by the creator.
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Dec 19, 2022
code423n4 added a commit that referenced this issue Dec 19, 2022
@code423n4
Apocalypto issue #500
b74efda
@Minh-Trng
Copy link

If Alice thinks she would be the first to supply she would set the minLPTokenAmount parameter to sqrt(100*100)=100 (because she expects 0 slippage) which would cause her tx to revert

@c4-judge
Copy link
Contributor

berndartmueller marked the issue as duplicate of #442

C4-Staff added a commit that referenced this issue Jan 6, 2023
@C4-Staff
original risk added for issue #500
4baff5a
@c4-judge
Copy link
Contributor

berndartmueller marked the issue as satisfactory

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Jan 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-442 satisfactory satisfies C4 submission criteria; eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Minh-Trng @code423n4 @c4-judge