Lost yield due to using block.timestamp as deadline in swap(), increaseLiquidity() and decreaseLiquidity() (which also don't always have slippage checks) #543
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-260
grade-c
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Comments
code423n4
added
3 (High Risk)
|
141345 marked the issue as duplicate of #78 |
|
timestamp as deadline is just like fill or kill order, which should be executed immediately or cancel. |
|
141345 marked the issue as duplicate of #260 |
c4-judge
added
downgraded by judge
|
gzeon-c4 changed the severity to QA (Quality Assurance) |
c4-judge
added
grade-c
unsatisfactory
|
gzeon-c4 marked the issue as grade-c |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2023-08-goodentry/blob/main/contracts/PositionManager/OptionsPositionManager.sol#L480
https://github.com/code-423n4/2023-08-goodentry/blob/main/contracts/PositionManager/OptionsPositionManager.sol#L502
https://github.com/code-423n4/2023-08-goodentry/blob/main/contracts/TokenisableRange.sol#L154
https://github.com/code-423n4/2023-08-goodentry/blob/main/contracts/TokenisableRange.sol#L200
https://github.com/code-423n4/2023-08-goodentry/blob/main/contracts/TokenisableRange.sol#L260
https://github.com/code-423n4/2023-08-goodentry/blob/main/contracts/TokenisableRange.sol#L301
https://github.com/code-423n4/2023-08-goodentry/blob/main/contracts/PositionManager/OptionsPositionManager.sol#L135
https://github.com/code-423n4/2023-08-goodentry/blob/main/contracts/PositionManager/OptionsPositionManager.sol#L424
https://github.com/code-423n4/2023-08-goodentry/blob/main/contracts/GeVault.sol#L331
https://github.com/code-423n4/2023-08-goodentry/blob/main/contracts/TokenisableRange.sol#L198-L199
Vulnerability details
Impact
MEV opportunities and yield lost due to the fact that the deadline argument in the
swap(),increaseLiquidity()anddecreaseLiquidity()is set toblock.timestamp. Additionally,increaseLiquidity()anddecreaseLiquidity()don't always specifyminAmount0andmaxAmount0, leading to even more MEV.Proof of Concept
By setting the deadline to
block.timestamp, the transaction can be included at any block, enabling more MEV opportunities. The codebase offers some protection by setting minimum or maximum amounts for swaps, butincreaseLiquidity()anddecreaseLiquidity()sometimes have0 amountMinarguments, exposing even more the protocol for MEV.Thus, validators may wait out the transaction as long as they want to get the best fee, making the user lose funds and have to wait longer for the transaction execution. In the case of the
increaseLiquidity()anddecreaseLiquidity()calls with0 minAmount, it represents even more yield loss.Here is an example of a similar report.
Tools Used
Vscode, Foundry, Solodit
Recommended Mitigation Steps
Set a maximum deadline in the
swap(),increaseLiquidity()anddecreaseLiquidity()functions. Additionally, specify minimum amounts in allwithdraw()calls ofTokanisableRange, which currently are being called with0 amount0minand0 amount1minin theGeVaultandOptionsPositionManager(see the links for the locations).Assessed type
MEV
The text was updated successfully, but these errors were encountered: