Part 2

Zaros

PerpetualsDEXFoundrySolidity

70,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Price manipulation vulnerability in swap calculations in StabilityBranch.sol::getAmountOfAssetOut

shrxyeh

Summary

Swap rate calculations are based on the vault’s total assets and debt without implementing sanity checks on the premium/discount factor. An attacker could manipulate the vault’s asset balance (e.g., via flash loans) immediately before swap execution to force extreme swap rates.

Vulnerability Details

The function getAmountOfAssetOut computes the swap output as follows:

UD60x18 vaultAssetsUsdX18 =

ud60x18(IERC4626(vault.indexToken).totalAssets()).mul(indexPriceX18);

if (vaultAssetsUsdX18.isZero()) revert

Errors.InsufficientVaultBalance(vaultId, 0, 0);

// we use the vault's net sum of all debt types coming from its connected

markets to determine the swap rate

SD59x18 vaultDebtUsdX18 = vault.getTotalDebt();

POC

function getAmountOfAssetOut(vaultId, usdAmountIn, indexPrice) {

let vault = loadVault(vaultId);

let vaultAssetsUsd = totalAssets(vault.indexToken) * indexPrice;

if (vaultAssetsUsd === 0) throw Error("InsufficientVaultBalance");

let vaultDebt = vault.getTotalDebt();

let premiumDiscount = getPremiumDiscountFactor(vaultAssetsUsd, vaultDebt);

// The computed output may be exaggerated if vaultAssetsUsd is manipulated.

let amountOut = (usdAmountIn / indexPrice) * premiumDiscount;

return amountOut;

}

Impact

Exploitable Swap Rates: An attacker may temporarily lower the vault’s total asset value, forcing a severe discount or premium, to gain an advantageous swap rate.
Financial Losses: Manipulated rates could lead to draining a vault’s reserves or unfairly benefiting malicious parties.

Tools Used

Static analysis (Slither, MythX)
Manual review and economic simulation
Fuzz testing

Recommendations

Rate Limits & Sanity Checks: Impose minimum/maximum bounds on the computed premium/discount factor.
Time-weighted Oracle Values: Use time-averaged or oracle-verified asset values rather than instantaneous totalAssets() calls.
Flash Loan Guards: Introduce measures to detect or block flash loan manipulations of vault balances.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Lack of quality

Prize pool breakdown

Total prize

70,000 USDC

nSLOC

3,258

21 USDC / LOC

High Medium

66,500

Low

3,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!