Skip to content

Latest commit

 

History

History
75 lines (53 loc) · 2.87 KB

019.md

File metadata and controls

75 lines (53 loc) · 2.87 KB

Short Currant Chipmunk

High

User can evade _fees.debond

Summary

A user having >=99% holding of pTKNs can evade debond Fee.

Root Cause

In WeightedIndex::debond L-176 the check for whether the user is the Last One Out ,the function _isLastOut contains a bug. It allows anybody having >=99% of _totalSupply holding debond without any fee.

Internal Pre-conditions

No response

External Pre-conditions

No response

Attack Path

Alice is an arbitrageur gleaning profits by big amount of wrapping and unwrapping TKNs. While market volatility unwrapping(debonding(pTKN==>TKN)) becomes profitable and everyone tends to unwrap. Since Alice has got a very large holding, she waits a bit and notices her holding is ~99% of the _totalSupply , and debonds her holding without giving any fees even after lots of person have still got holdings. (This Protocol allows only the last person to debond without fee.)

Impact

The protocol suffers a large amount of fees(~1% of debond amount) (since the user debonds very large amount).

PoC

    function test_debondMultipleUsers() public {
        console.log("Initial Peas Balance of alice: ", peas.balanceOf(alice));
        vm.startPrank(alice);
        pod.bond(address(peas), bondAmt, 0);
        vm.stopPrank();
        //initial setup for 99 users
        for (uint256 i = 0; i < 99; i++) {
            address user = address(uint160(4 + i));
            deal(address(peas), user, bondAmt / 500);
            vm.startPrank(user);
            peas.approve(address(pod), type(uint256).max);
            vm.stopPrank();
            vm.startPrank(user);
            pod.bond(address(peas), bondAmt / 10000, 0);
            vm.stopPrank();
        }

        uint256 aliceInitialBalance = pod.balanceOf(alice);

        console.log("Before debond Balance of alice : ", aliceInitialBalance);
        console.log("Total Supply: ", pod.totalSupply());

        vm.startPrank(alice);
        address[] memory _n1;
        uint8[] memory _n2;
        pod.debond(aliceInitialBalance, _n1, _n2);
        vm.stopPrank();

        console.log("Final Balance of alice : ", peas.balanceOf(alice));
     }
Logs:
  Initial Peas Balance of alice:  100000000000000000000  
  Before debond Balance of alice :  1000000000000000000  
  Total Supply:  1009899999999999901
  Final Balance of alice :  99999999999999999999(1 loss due to rounding error)

Mitigation

Users can be listed through a mapping, every time an user debonds should be out from the list. And only the last person will be given the debond fee Free benefit.