Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KupiaSec - The api.burn function should have cool down period #114

Closed
sherlock-admin4 opened this issue Sep 9, 2024 · 6 comments
Closed

KupiaSec - The api.burn function should have cool down period #114

sherlock-admin4 opened this issue Sep 9, 2024 · 6 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Escalation Resolved This issue's escalations have been approved/rejected High A High severity issue. Reward A payout will be made for this issue

Comments

@sherlock-admin4
Copy link
Contributor

sherlock-admin4 commented Sep 9, 2024
edited by WangSecurity
Loading

KupiaSec

High

The api.burn function should have cool down period

Summary

Liquidity providers can burn their liquidity tokens anytime regardless minting time.
Attackers can take fees without contributing to the pool using this vulnerability.

Root Cause

There is no cool down period in the api.burn function.

Internal pre-conditions

None

External pre-conditions

None

Attack Path

  1. Bob(lp) mints 100 lp_token by depositing 100 in quote token and the total supply of lp_token is 100.
  2. Alice opens the long position.
  3. The following steps are performed in one transaction:
    • Alice mints 1000 lp_token by depositing 1000
    • Alice closes the long position: she has to pay 10 fees to the pool and the pool's total reserve is 1000 + 100 + 10 = 1110.
    • Alice burns 1000 lp_token: Alice receives 1000 * 1110 / 1100 = 1009

Alice pays 10 fees while closing the position and receives additional 9 fees while burning.
Even though Alice's minted 1000 lp_token did not contribute to the users' positions, she received fees and this is unfair for other liquidity providers.

This vulnerability is available for attackers to frontrun the closing position.

Impact

Fees are distributed to liquidity providers unfairly.

PoC

None

Mitigation

It is recommended to add the cool down period in the api.burn function and make burning available after cool down period.

Duplicate of #94
@github-actions github-actions bot added the Excluded Excluded by the judge without consulting the protocol or the senior label Sep 11, 2024
@sherlock-admin3 sherlock-admin3 changed the title Dancing Topaz Perch - The api.burn function should have cool down period KupiaSec - The api.burn function should have cool down period Sep 11, 2024
@sherlock-admin3 sherlock-admin3 added the Non-Reward This issue will not receive a payout label Sep 11, 2024
@KupiaSecAdmin
Copy link

Escalate

This is a duplicate of #94

@sherlock-admin3
Copy link
Contributor

Escalate

This is a duplicate of #94

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

@sherlock-admin4 sherlock-admin4 added the Escalated This issue contains a pending escalation label Sep 12, 2024
@rickkk137
Copy link

Escalate

This is a duplicate of #94

root cause is same for both

@WangSecurity
Copy link

Agree with the escalation, planning to accept and validate with #94.

@WangSecurity WangSecurity added the High A High severity issue. label Sep 25, 2024
@sherlock-admin2 sherlock-admin2 added Reward A payout will be made for this issue and removed Non-Reward This issue will not receive a payout labels Sep 25, 2024
@WangSecurity WangSecurity added Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Non-Reward This issue will not receive a payout and removed Reward A payout will be made for this issue Excluded Excluded by the judge without consulting the protocol or the senior labels Sep 25, 2024
@sherlock-admin2 sherlock-admin2 added Reward A payout will be made for this issue and removed Non-Reward This issue will not receive a payout labels Sep 25, 2024
@WangSecurity
Copy link

Result:
High
Duplicate of #94

@sherlock-admin2 sherlock-admin2 removed the Escalated This issue contains a pending escalation label Sep 25, 2024
@sherlock-admin3 sherlock-admin3 added the Escalation Resolved This issue's escalations have been approved/rejected label Sep 25, 2024
@sherlock-admin4
Copy link
Contributor Author

Escalations have been resolved successfully!

Escalation status:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Escalation Resolved This issue's escalations have been approved/rejected High A High severity issue. Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@rickkk137 @WangSecurity @KupiaSecAdmin @sherlock-admin2 @sherlock-admin3 @sherlock-admin4