Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Whale invest() and divest() denial of service (DoS) #9

Open
kitty-the-kat opened this issue Jan 11, 2023 · 1 comment
Open

Whale invest() and divest() denial of service (DoS) #9

kitty-the-kat opened this issue Jan 11, 2023 · 1 comment
Assignees
@kitty-the-kat
Labels
potential issue

Comments

@kitty-the-kat
Copy link
Contributor

If a whale deposits a large enough amount of 3CRV into the GVault, ConvexStrategy may not be able to deposit the large amount into the Curve metapool without substantial slippage. This can cause invest() in ConvexStrategy to revert and block the strategy's harvesting from operating properly. The same could happen with divest(), but would require the whale creating an imbalance in the Curve pool outside of Gro, which is likely an unprofitable approach.

Technical Details

A whale may deposit an extremely large amount of 3CRV into GVault. When the GVault provides this 3CRV to ConvexStrategy to invest, the invest() function makes sure that the liquidity added to the metapool is within proper slippage tolerance. If the Curve pool is imbalanced sufficiently by the added liquidity, it may not return sufficient value and cause invest() to revert due to the slippage exceeding the slippage tolerance. This denial of service would not cost the whale much to sustain the DoS because they could deposit the GVault tokens into the Senior Tranche (at least until the utilization ratio is met) and receive their fixed yield, even though the Junior Tranche is not receiving its yield because the strategy's harvesting mechanism is locked up. In theory this could lead to bankrupting the Junior Tranche if carried out for long enough because the whale's deposit can't be deposited into the metapool to maximize rewards, like the "leach attack" described in a separate finding.

divest() has a similar slippage check that may also revert under some conditions. Since users cannot control when divest happens, the whale would need to imbalance the pool outside of Gro. This DoS is likely far more costly than the invest() DoS vector because imbalancing the Curve pool would most likely create and arbitrage opportunity.

Impact

Medium. Denial of Service of a key function in the protocol could happen and there does not appear to be a simple way to resolve the situation.

Recommendation

Modify invest() to avoid a revert in this case of a whale deposit. For instance, invest() could calculate the maximum assets that could be deposited into the metapool within slippage limits and then deposit that amount. Alternatively, set an owner controlled max cap on the total assets value than the GVault can receive in deposit() to add one layer of prevention for this edge case.

Developer Response
@kitty-the-kat kitty-the-kat self-assigned this Jan 11, 2023
@kitty-the-kat
Copy link
Contributor Author

acknowledged - Will be included in future upgrade, as this can be controlled by adjusting debt ratios atm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kitty-the-kat kitty-the-kat

Labels
potential issue
Projects
None yet
Milestone
No milestone
Development

When branches are created from issues, their pull requests are automatically linked.

9-whale-invest-and-divest-denial-of-service-dos groLabs/GSquared
1 participant
@kitty-the-kat