Security: Price Manipulation in function sharesForAmount

[smartsmartsec]

Attack type

Remote

Impact

• Other: Disproportionate financial gain through manipulation of internal state.

Affected component(s)

function sharesForAmount in LiquidityPool.sol

Attack vector(s)

A malicious actor can manipulate the totalPooledEther variable by making large deposits or withdrawals right before the execution of the sharesForAmount function, impacting the share distribution calculation.

Suggested description of the vulnerability for use in the CVE

A vulnerability in the Ether.fi smart contract could allow an attacker to exploit the timing of calculations in the sharesForAmount function. The function calculates new shares based on the totalPooledEther, which can be manipulated by sudden changes in the pooled ether amount, leading to disproportionate share allocation. This could result in an attacker gaining a larger share than their contribution merits, potentially leading to financial losses for other users.

Discoverer(s)/Credits

xFuzz

Proposed Solution

• Implement checks to detect and mitigate rapid, large-scale changes in the totalPooledEther prior to calculations in the sharesForAmount function.
• Consider updating the contract to use a snapshot or fixed reference of totalPooledEther at the beginning of each transaction block to prevent exploitation through transaction timing.

Reference(s)

• https://github.com/etherfi-protocol/smart-contracts/blob/master/src/LiquidityPool.sol
• https://etherscan.io/address/0x308861A430be4cce5502d0A12724771Fc6DaF216?utm_source=immunefi#code
• https://code4rena.com/reports/2021-08-notional#h-10-liquidity-token-value-can-be-manipulated
• https://code4rena.com/reports/2021-07-spartan#h-06-synthvault-rewards-can-be-gamed