Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-08-GOODENTRY-FINDINGS-ISSUES-522
HistoryAug 07, 2023 - 12:00 a.m.

Some functions in TokenisableRange contracts does not allow user to deadline.

2023-08-0700:00:00
Code4rena
github.com
7
tokenisablerange contract
deadline
sandwich attacks
mev
vulnerability
claimfee function
JSON

Lines of code
<https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/TokenisableRange.sol#L200&gt;
<https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/TokenisableRange.sol#L260&gt;
<https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/TokenisableRange.sol#L301&gt;

Vulnerability details

Impact

Not allowing users to supply their own deadline could potentially expose them to sandwich attacks

Proof of Concept

Consider the following scenario:

 if ((fee0 * 100 &gt; bal0 ) && (fee1 * 100 &gt; bal1)) { 
      TOKEN0.token.safeIncreaseAllowance(address(POS_MGR), fee0);
      TOKEN1.token.safeIncreaseAllowance(address(POS_MGR), fee1);
      (uint128 newLiquidity, uint256 added0, uint256 added1) = POS_MGR.increaseLiquidity(
        INonfungiblePositionManager.IncreaseLiquidityParams({
          tokenId: tokenId,
          amount0Desired: fee0,
          amount1Desired: fee1,
          amount0Min: 0, //@audit
          amount1Min: 0,
          deadline: block.timestamp //@audit
        })

In claimFee function of TokenisableRange.sol, User is claiming fee but it does not allow user to include a deadline check and it is hardcoded to block.timestamp.

deadline: block.timestamp

In claimFee function of TokenisableRange.sol, user is claiming fee but the deadline parameter is simply passed in as current block.timestamp in which transaction occurs. This effectively means that transaction has no deadline, which means that the transaction may be included anytime by validators and remain pending in mempool, potentially exposing users to sandwich attacks by attackers or MEV bots.

  1. Alice wants to swap 30 BNB token for 1 BNB and later sell the 1 BNB for 300 DAI. She signs the transaction calling TalosBaseStrategy.redeem() with inputAmount = 30 vBNB and amountOutmin = 0.99 BNB (1$ slippage).

  2. The transaction is submitted to the mempool, however, Alice chose a transaction fee that is too low for validators to be interested in including her transaction in a block. The transaction stays pending in the mempool for extended periods, which could be hours, days, weeks, or even longer.

  3. When the average gas fee dropped far enough for Alice’s transaction to become interesting again for miners to include it, her swap will be executed. In the meantime, the price of BNB could have drastically decreased. She will still at least get 0.99 BNB due to amountOutmin, but the DAI value of that output might be significantly lower. She has unknowingly performed a bad trade due to the pending transaction she forgot about.

An even worse way this issue can be maliciously exploited is through MEV:

  1. The transaction is still pending in the mempool. Average fees are still too high for validators to be interested in it. The price of ETH has gone up significantly since the transaction was signed, meaning Alice would receive a lot more when the trade is executed.

Tools Used

Manual Review

Recommended Mitigation Steps

Allow users to supply their own deadline parameter within In init() function.

Assessed type

Timing

The text was updated successfully, but these errors were encountered:

All reactions

JSON