Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing slippage on Stableswap add_Liquidity() #40

Closed
c4-bot-1 opened this issue Feb 19, 2024 · 3 comments
Closed

Missing slippage on Stableswap add_Liquidity() #40

c4-bot-1 opened this issue Feb 19, 2024 · 3 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-93 edited-by-warden 🤖_15_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards

Comments

@c4-bot-1
Copy link
Contributor

c4-bot-1 commented Feb 19, 2024
edited by c4-bot-6
Loading

Lines of code

https://github.com/code-423n4/2024-02-hydradx/blob/main/HydraDX-node/pallets/stableswap/src/lib.rs#L475

Vulnerability details

Bug Description

The stableswap AMM in the HydraDX protocol allows users to deposit liquidity to facilitate the market maker functionality. It is a well known issue that calls to add/withdraw liquidty on vaults/amm pools can be frontrun to reduce the users received shares. In the add_liquidity_shares() this is already accounted for as the user provides the amount of shares he wants to receive, and can control his slippage by setting the max_asset_amount variable.

Unfortunately, in the add_liquidity() function, where the user sets how many assets he wants to provide, he is not able to set the minimum amount of assets that he wants to receive. This way the user could have to endure up to 100% slippage, resulting in massive losses.

Impact

This issue allows a malicious attacker to frontrun calls to add_Liquidity() so that users incur high slippage losses. The users can't protect themselves against this as they are not able to set a slippage parameter in the function.

Proof of Concept

The issue can already be spotted when looking at add_liquidty()'s function signature.

#[pallet::call_index(3)]
#[pallet::weight(<T as Config>::WeightInfo::add_liquidity()
					.saturating_add(T::Hooks::on_liquidity_changed_weight(MAX_ASSETS_IN_POOL as usize)))]
#[transactional]
pub fn add_liquidity(
	origin: OriginFor<T>,
	pool_id: T::AssetId,
	assets: Vec<AssetAmount<T::AssetId>>,
) -> DispatchResult {
	let who = ensure_signed(origin)?;

	let shares = Self::do_add_liquidity(&who, pool_id, &assets)?;

	Self::deposit_event(Event::LiquidityAdded {
		pool_id,
		who,
		shares,
		assets,
	});

	Ok(())
}

An exemplary situation can be described as follows

  1. Alice wants to add liquidity and calls the add_liquidity() function
  2. Bob spots this call and front runs it
  3. He adds a lot of liquidity/trades so that Alice gets less shares than expected
  4. Alice can't set slippage so her transaction will still execute

Tools Used

Manual Review

Recommended Mitigation Steps

The issue can be mitigated by allowing the user to pass a minShares parameter. At the end of the function, it should check if the user receives more shares than this parameter, and otherwise revert.

ensure!(minShares <= shares, Error::<T>::SlippageLimit);

Assessed type

MEV
@c4-bot-1 c4-bot-1 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Feb 19, 2024
c4-bot-3 added a commit that referenced this issue Feb 19, 2024
@c4-bot-3
J4X issue #40
b04079d
@c4-bot-7 c4-bot-7 removed the 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value label Feb 21, 2024
@code4rena-admin code4rena-admin added 3 (High Risk) Assets can be stolen/lost/compromised directly edited-by-warden labels Feb 21, 2024
@c4-bot-11 c4-bot-11 added the 🤖_15_group AI based duplicate group recommendation label Mar 1, 2024
@c4-pre-sort
Copy link

0xRobocop marked the issue as duplicate of #158

@c4-judge
Copy link

c4-judge commented Mar 7, 2024

OpenCoreCH marked the issue as satisfactory

@c4-judge c4-judge added satisfactory satisfies C4 submission criteria; eligible for awards 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value downgraded by judge Judge downgraded the risk level of this issue and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels Mar 7, 2024
@c4-judge
Copy link

c4-judge commented Mar 9, 2024

OpenCoreCH changed the severity to 2 (Med Risk)

@J4X-98 J4X-98 mentioned this issue Mar 13, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-93 edited-by-warden 🤖_15_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@c4-judge @c4-pre-sort @code4rena-admin @c4-bot-1 @c4-bot-7 @c4-bot-11