Security: Price Manipulation in function sharesForAmount
Closed this issue · 0 comments
Attack type
Remote
Impact
- Other: Disproportionate financial gain through manipulation of internal state.
Affected component(s)
function sharesForAmount
in LiquidityPool.sol
Attack vector(s)
A malicious actor can manipulate the totalPooledEther
variable by making large deposits or withdrawals right before the execution of the sharesForAmount
function, impacting the share distribution calculation.
Suggested description of the vulnerability for use in the CVE
A vulnerability in the Ether.fi smart contract could allow an attacker to exploit the timing of calculations in the sharesForAmount
function. The function calculates new shares based on the totalPooledEther
, which can be manipulated by sudden changes in the pooled ether amount, leading to disproportionate share allocation. This could result in an attacker gaining a larger share than their contribution merits, potentially leading to financial losses for other users.
Discoverer(s)/Credits
xFuzz
Proposed Solution
- Implement checks to detect and mitigate rapid, large-scale changes in the
totalPooledEther
prior to calculations in thesharesForAmount
function. - Consider updating the contract to use a snapshot or fixed reference of
totalPooledEther
at the beginning of each transaction block to prevent exploitation through transaction timing.
Reference(s)
- https://github.com/etherfi-protocol/smart-contracts/blob/master/src/LiquidityPool.sol
- https://etherscan.io/address/0x308861A430be4cce5502d0A12724771Fc6DaF216?utm_source=immunefi#code
- https://code4rena.com/reports/2021-08-notional#h-10-liquidity-token-value-can-be-manipulated
- https://code4rena.com/reports/2021-07-spartan#h-06-synthvault-rewards-can-be-gamed