Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ema-oracle will show an arbitrary asset price, even though the asset was completely removed from the omnipool #169

Open
c4-bot-10 opened this issue Mar 1, 2024 · 5 comments
Open

Ema-oracle will show an arbitrary asset price, even though the asset was completely removed from the omnipool #169

c4-bot-10 opened this issue Mar 1, 2024 · 5 comments
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue edited-by-warden grade-a QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax 🤖_51_group AI based duplicate group recommendation

Comments

@c4-bot-10
Copy link
Contributor

c4-bot-10 commented Mar 1, 2024
edited by c4-bot-7
Loading

Lines of code

https://github.com/code-423n4/2024-02-hydradx/blob/603187123a20e0cb8a7ea85c6a6d718429caad8d/HydraDX-node/pallets/omnipool/src/lib.rs#L1567-L1573

Vulnerability details

Impact

Ema-oracle will show an arbitrary asset price, even though the asset was completely removed from the omnipool. Any other flows that consume ema-oracle price can be impacted as well.

Proof of Concept

The vulnerability is in the omnipool pallet (lib.rs) remove_token(). Typically, any liquidity management/trading will invoke a hook that calls ema-oracle pallet to update a spot oracle entry.

However, the exception is that no hook is called in remove_token(), even though remove_token() also changes liquidity and asset reserves, on top of completely deleting the asset from the pool.

The impact is ema-oracle will still show an oracle entry price with an arbitrary value at user remove liquidity (remove_liquidity), even though the asset reserve is completely withdrawn in remove_token() and the asset no longer exists.

(1)For comparison, this is an example of a normal flow of liquidity change.

//HydraDX-node/pallets/omnipool/src/lib.rs
		pub fn remove_liquidity(
			origin: OriginFor<T>,
			position_id: T::PositionItemId,
			amount: Balance,
		) -> DispatchResult {
...
                        //@audit-info note: this calls adapter which calls ema-oracle to record an oracle entry
|>			T::OmnipoolHooks::on_liquidity_changed(origin, info)?;

			Ok(())
		}

(https://github.com/code-423n4/2024-02-hydradx/blob/603187123a20e0cb8a7ea85c6a6d718429caad8d/HydraDX-node/pallets/omnipool/src/lib.rs#L864)

(2) Problem: remove_token() doesn't call any hook to alert ema-oracle pallets the reserve is withdrawn and asset is deleted.

//HydraDX-node/pallets/omnipool/src/lib.rs
		pub fn remove_token(origin: OriginFor<T>, asset_id: T::AssetId, beneficiary: T::AccountId) -> DispatchResult {
...
			T::Currency::withdraw(T::HubAssetId::get(), &Self::protocol_account(), asset_state.hub_reserve)?;
			T::Currency::transfer(asset_id, &Self::protocol_account(), &beneficiary, asset_state.reserve)?;
                        //@audit remove_token() flow will simply withdraw reserve, and share but will not alert ema-oracle with any hook for the liquidity and reserve change.
|>			<Assets<T>>::remove(asset_id);
			Self::deposit_event(Event::TokenRemoved {
				asset_id,
				amount: asset_state.reserve,
				hub_withdrawn: asset_state.hub_reserve,
			});
			Ok(())
		}

(https://github.com/code-423n4/2024-02-hydradx/blob/603187123a20e0cb8a7ea85c6a6d718429caad8d/HydraDX-node/pallets/omnipool/src/lib.rs#L1567-L1573)

Tools Used

Manual

Recommended Mitigation Steps

In remove_token(), add a hook that alerts ema-oracle the asset is withdrawn, and update the ema-oracle entry accordingly.

Assessed type

Error
@c4-bot-10 c4-bot-10 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Mar 1, 2024
c4-bot-5 added a commit that referenced this issue Mar 1, 2024
@c4-bot-5
oakcobalt issue #169
7a54f67
@c4-bot-7 c4-bot-7 changed the title Ema-oracle will show an arbitrage asset price, even though the asset was completely removed from the omnipool Ema-oracle will show an arbitrary asset price, even though the asset was completely removed from the omnipool Mar 1, 2024
@c4-bot-11 c4-bot-11 added the 🤖_51_group AI based duplicate group recommendation label Mar 1, 2024
@c4-pre-sort
Copy link

0xRobocop marked the issue as duplicate of #73

@OpenCoreCH
Copy link

Unlike #73, this does not demonstrate any relevant negative impact -> downgrading to QA

@c4-judge
Copy link

c4-judge commented Mar 8, 2024

OpenCoreCH marked the issue as not a duplicate

@c4-judge c4-judge reopened this Mar 8, 2024
@c4-judge
Copy link

c4-judge commented Mar 8, 2024

OpenCoreCH changed the severity to QA (Quality Assurance)

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Mar 8, 2024
@c4-judge
Copy link

c4-judge commented Mar 9, 2024

OpenCoreCH marked the issue as grade-a

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue edited-by-warden grade-a QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax 🤖_51_group AI based duplicate group recommendation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@OpenCoreCH @c4-judge @c4-pre-sort @code4rena-admin @c4-bot-10 @c4-bot-11