Skip to content

Latest commit

 

History

History
77 lines (51 loc) · 2.67 KB

069.md

File metadata and controls

77 lines (51 loc) · 2.67 KB

Calm Pine Robin

High

users can frontrun withdraw reserves and make a huge profit

Summary

A malicious user could monitor the mempool for withdrawReserves calls and then execute a sandwich attack. First, they would call userDeposit before the withdrawReserves transaction, and then execute a userWithdraw call immediately after. By using a tool like Flashbots, they can take advantage of changes in exchange rates and make an instant profit from this manipulation.

When a user deposits or withdraws from the vault, the exchange rate between the token and its corresponding token is calculated. this exchange rate is determined as

        uint totalCash = getCashPrior();
        uint cashPlusBorrowsMinusReserves = totalCash +
            totalBorrows -
            totalReserves;
        uint exchangeRate = (cashPlusBorrowsMinusReserves * expScale) /
            _totalSupply;


        return exchangeRate;

reserve is withdrawble by the priotocol as we can see here https://github.com/sherlock-audit/2024-12-numa-audit/blob/main/Numa/contracts/lending/CToken.sol#L1503-L1542

when owner will call _reduceReserves the exchange rate will increase as the numerator will also increase this will increase the exchange rate. which can be exploited by malicious user to make profit by watching the mempool

Root Cause

https://github.com/sherlock-audit/2024-12-numa-audit/blob/main/Numa/contracts/lending/CToken.sol#L1503C1-L1543C1

Internal pre-conditions

admin reduces reserves

External pre-conditions

No response

Attack Path

  1. admin calls reduce reserves
  2. malicious user front runs the transaction and deposits in the contract
  3. reserves are withdrawn
  4. malicious user backruns and exploits the increased exchange rate

Impact

The withdrawnReserves action triggers an immediate rise in the exchange rate, opening up an arbitrage opportunity. Malicious actors can exploit this by performing a sandwich attack

PoC

scenario 1 totalCash = 20000 totalBorrows = 10000 totalSupply = 30000 expScale = 1e18 reserves = 5000 For Reserves = 5000: Exchange Rate = ((20000 + 10000 - 5000) * 1e18) / 30000 = (25000 * 1e18) / 30000 = 833333333333333333 Exchange Rate = 0.8333

now admin calls reduce reserves and withdraws 4000 from reserves scenario 2 For Reserves = 1000 (after 4000 withdrawal) Exchange Rate = ((20000 + 10000 - 1000) * 1e18) / 30000 = (29000 * 1e18) / 30000 = 966666666666666667 Decimal Exchange Rate = 0.9667 the exchange rate is increased which opens a window for a malicious users

No response

Mitigation

remove the reserves from exchange rate calculation