The `share` price can be manipulated through precision loss vulnerability to steal user funds.
Summary
Attackers can trigger precision loss issues by calling the deposit and withdraw functions in the PerpetualVault contract to manipulate share prices and steal assets deposited by other users.
Vulnerability Details
contracts/PerpetualVault.sol#L215-280
After the
PerpetualVaultcontract is deployed, be the first to perform adepositoperation (amount = minDepositAmount = 1e8). At this time, shares will be minted in the_mintfunction according to_shares = depositInfo[depositId].amount * 1e8;, obtainingshare = 1e16.The attacker then sends a large amount of
collateralTokento the contract (assumeamount = 1e16), raising theshareprice to1e16 share = 1e16 + 1e8 amount.After the attacker raises the
shareprice, perform anotherdepositoperation (amount = 2 * 1e8). Theshareamount will be calculated according to_shares = amount * totalShares / totalAmountBefore;. The resultingshareamount is1.
Contract state at this point: 1e16 + 1 share = 1e16 + 3e8 amount
The attacker then calls the
withdrawfunction to retrieve the first funds (share = 1e16). According toamount = collateralToken.balanceOf(address(this)) * shares / totalShares;, the calculatedamount = 1e16 + 3e8
Contract state at this point: 1 share = 0 amount
The attacker sends another large amount of
collateralTokento the contract (assumeamount = 1e16), raising theshareprice to1 share = 1e16 amount.When victim users unknowingly make a
depositoperation (amount = 1e15) after the attacker raises theshareprice, theshareamount will be calculated according to_shares = amount * totalShares / totalAmountBefore;. The user receives0shares at this time. (As long as the user'sdepositamountis less than1e16, the obtainedsharewill be0).
Contract state at this point: 1 share = 1e16 + 1e15 amount
Finally, the attacker calls the
withdrawfunction to retrieve the second funds (share = 1). According toamount = collateralToken.balanceOf(address(this)) * shares / totalShares;, the calculatedamount = 1e16 + 1e15.
Contract state at this point: 0 share = 0 amount, and the attacker has obtained the victim user's deposit of 1e15.
Impact
Attackers can manipulate the share price to prevent other users from obtaining share when depositing assets, thereby stealing user assets.
This attack scenario can be executed using a sandwich attack when discovering a user performing the first deposit operation, placing the user's deposit operation in the middle to profit.
Tools Used
Recommendations
It is recommended to refer to Compound or AAVE's approach, where the project team makes the first deposit when creating a new PerpetualVault.
Lead Judging Commences
invalid_collateral_balanceOf_donation
Prevent tokens from getting stuck. This is a simple donation to every shareholder, and therefore, every share has more value (profit), leading to fewer shares for future users. If this is not intended by the user, it is merely a mistake! For totalAmountBefore > amount * totalShares, Here is the worst-case scenario (with the minimum amount): first deposit 0.001000 (e4) USDC → 1e12 shares. Second deposit: 0.001 (e4) USDC * 1e12 / 0.001 (e4) USDC. So, the attacker would need to donate 1e16 tokens, meaning 1e10 USDC → 10 billion $. Even in the worst case, it's informational.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.