Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ERC20TokenEmitter lacks slippage protection #150

Closed
c4-bot-6 opened this issue Dec 19, 2023 · 4 comments
Closed

ERC20TokenEmitter lacks slippage protection #150

c4-bot-6 opened this issue Dec 19, 2023 · 4 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-397 satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality

Comments

@c4-bot-6
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-12-revolutionprotocol/blob/main/packages/revolution/src/ERC20TokenEmitter.sol#L152

Vulnerability details

Impact

ERC20TokenEmitter uses VRGDA model to get the current price of the ERC20 token issued in exchange for ETH. Buyers are vulnerable to the price slippage due to price adjustments incurred by the VRGDA algorithm (price increases if amount sold is ahead of schedule and vice versa).

Proof of Concept

When user calls payable buyToken function, the contract calculates the amount it will mint to the user based on msg.value and the amount of emitted tokens
https://github.com/code-423n4/2023-12-revolutionprotocol/blob/main/packages/revolution/src/ERC20TokenEmitter.sol#L184

        return
            vrgdac.yToX({
                timeSinceStart: toDaysWadUnsafe(block.timestamp - startTime),
                sold: emittedTokenWad,
                amount: int(etherAmount)
            });
    }

If this transaction was frontrunned or executed later, the user may receive fewer tokens than he expected (e.g. the transaction was executed when the amount sold is ahead of schedule).

Tools Used

Manual review

Recommended Mitigation Steps

Consider adding deadline and minAmountOut checks

function buyToken(
        address[] calldata addresses,
        uint[] calldata basisPointSplits,
        ProtocolRewardAddresses calldata protocolRewardsRecipients
        uint256 deadline,
        uint256 minAmountOut
    ) public payable nonReentrant whenNotPaused returns (uint256 tokensSoldWad) {
        require(deadline > block.timestamp, "expired");
        ...
        require(uint256(totalTokensForBuyers) >= minAmountOut), "amount too small")

Assessed type

Token-Transfer
@c4-bot-6 c4-bot-6 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Dec 19, 2023
c4-bot-2 added a commit that referenced this issue Dec 19, 2023
@c4-bot-2
SpicyMeatball issue #150
ff6c119
@c4-pre-sort c4-pre-sort added the sufficient quality report This report is of sufficient quality label Dec 22, 2023
@c4-pre-sort
Copy link

raymondfam marked the issue as sufficient quality report

@c4-pre-sort
Copy link

raymondfam marked the issue as duplicate of #26

@c4-pre-sort
Copy link

raymondfam marked the issue as duplicate of #397

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Jan 6, 2024
@c4-judge
Copy link
Contributor

c4-judge commented Jan 6, 2024

MarioPoneder marked the issue as satisfactory

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-397 satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@c4-judge @c4-pre-sort @c4-bot-6