Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No slippage control when withdrawing a position leads to loss of funds #2

Open
howlbot-integration bot opened this issue Nov 4, 2024 · 5 comments
Open

No slippage control when withdrawing a position leads to loss of funds #2

howlbot-integration bot opened this issue Nov 4, 2024 · 5 comments
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working H-03 primary issue Highest quality submission among a set of duplicates 🤖_03_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons sufficient quality report This report is of sufficient quality

Comments

@howlbot-integration
Copy link

Lines of code

https://github.com/code-423n4/2024-10-superposition/blob/7ad51104a8514d46e5c3d756264564426f2927fe/pkg/seawater/src/lib.rs#L749

Vulnerability details

Impact

An attacker can sandwich a user withdrawing funds as there is no way to put slippage protection, which will cause a large loss of funds for the victim.

Proof of Concept

decr_position_09293696 function was removed entirely. Now, the only way for users to withdraw funds is by calling update_position_C_7_F_1_F_740 with negative delta.

The issue is that in this way, users can't have any slippage protection. decr_position allowed users to choose an amount_0_min and amount_1_min of funds to receive, which is now zero.

This allows an attacker to sandwich their withdrawal to steal a large amount of funds.

Recommended mitigation steps

Consider reintroducing a withdrawal function that offers slippage protection to users (they should be able to choose amount_0_min, amount_1_min, amount_0_desired, and amount_1_desired).
@howlbot-integration howlbot-integration bot added 3 (High Risk) Assets can be stolen/lost/compromised directly 🤖_03_group AI based duplicate group recommendation bug Something isn't working primary issue Highest quality submission among a set of duplicates sufficient quality report This report is of sufficient quality labels Nov 4, 2024
howlbot-integration bot added a commit that referenced this issue Nov 4, 2024
@howlbot-integration
DadeKuma issue #2
0edc0da
@af-afk af-afk added the sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons label Nov 7, 2024
@alex-ppg
Copy link

The submission has demonstrated that liquidity withdrawals from the system are inherently insecure due to being open to arbitrage opportunities as no slippage is enforced.

I am unsure why the Sponsor has opted to acknowledge this submission as it is a tangible vulnerability and one that merits a high-risk rating. The protocol does not expose a secure way to natively extract funds from it whilst offering this functionality for other types of interactions.

@c4-judge c4-judge added the selected for report This submission will be included/highlighted in the audit report label Nov 13, 2024
@c4-judge
Copy link

alex-ppg marked the issue as selected for report

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Nov 13, 2024
@c4-judge
Copy link

alex-ppg marked the issue as satisfactory

@af-afk
Copy link

af-afk commented Nov 25, 2024

@alex-ppg We won't fix this for now since Superposition has a centralised sequencer, and there's no MEV that's possible for a thirdparty to extract using the base interaction directly with our provider.

@DadeKuma
Copy link

@af-afk I highly suggest fixing this issue, as a centralized sequencer does not prevent MEV extraction. You can check this impact on Arbitrum for example: https://dune.com/datawarlock/arbitrum-mev-atomic-arbitrage

@C4-Staff C4-Staff added the H-03 label Nov 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working H-03 primary issue Highest quality submission among a set of duplicates 🤖_03_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@DadeKuma @alex-ppg @af-afk @c4-judge @C4-Staff