Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Initia>High findings>Stablepools can be created with one or no assets
GeneralOverview
Findings
Critical (3)
High (12)Missing gas charge on memo in native_nft_transferNext zapping ID potentially duplicatedPublished module names do not necessarily match binary moduleStablepools can be created with one or no assetsStablepool swap can be called, repeating the same assetFrozen module coin store can cause chain haltMalicious proposer can skip fee checkMove coins can be burned twiceQuery gas limit not enforced through bank moduleIncorrect signer check for shorthand accountsValidator set updates can skip current validatorsWithdrawal hash clash using variable-length fields
Medium (4)
Low (9)
Informational (3)
DiscussionGeneral DiscussionImprove AMM testsBridge executor minting powerCharge before using valuesEmpty allowed_publishers array allows every address to publishERC20Keeper with custom contractsSuggestions for additional security checksTable handle overflow leads to abort
Threat ModelWhat are threat models?stdlib
Audit ResultsSummary
AppendixProof of concept: Reference safety verifier bypass
Category: Coding Mistakes

Stablepools can be created with one or no assets

High Severity
Low Impact
Low Likelihood

Description

The stableswap.move module implements an AMM based on the Curve StableSwap price function. The create_pair function can be used to create a new AMM pool with an arbitrary number of assets:

public fun create_pair(
    creator: &signer,
    name: String,
    symbol: String,
    swap_fee_rate: Decimal128,
    coins: vector<FungibleAsset>,
    ann: u64,
): FungibleAsset acquires Pool, ModuleStore

The function does not require the number of assets to be at least two, allowing to create a pool consisting of just one or even no assets at all.

Impact

This issue is reported as low impact since we consider it unlikely to be exploitable to cause damage to third parties. Pools with one or zero assets cause several of the module functions to revert, as they were written assuming pools contain at least two assets. However, considering the potential economic impact, we still classify this issue as high severity.

Recommendations

Require the number of assets to be at least two when creating a new AMM pool. This can be done by adding an assert!(coins.length() >= 2) statement to create_pair.

Remediation

Zellic © 2024Back to top ↑