Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Nukem Loans>Medium findings>ERC-4626 vault inflation
GeneralOverview
Findings
Critical (3)
High (3)
Medium (2)Assure debtors are auctionableERC-4626 vault inflation
Low (1)
DiscussionInitializer called in constructorBorrowing on behalf of the Market contractPotential storage-collision issueSaferERC20 additional checksEIP-712 implementationMarket setters should only be called onceUtilizing eth-brownie for testingCentralizationAMM oracle pricing
Threat ModelWhat are threat models?AbstractSwapper.solAuctions.solCollateral.solCredit.solDebt.solEIP712.solERC20Base.solERC20Permit.solEnFi4626.solLendingStrategy.solMarket.solProxyManager.solRoles.solSaferERC20.solUniswapV2Swapper.sol
Audit ResultsSummary
Category: Business Logic

ERC-4626 vault inflation

Medium Severity
Medium Impact
Low Likelihood

Description

Contracts inheriting the EnFi4626 contract are vulnerable to the ERC-4626 inflation attack.

In accordance with ERC-4626, EnFi4626 is a vault that holds assets on behalf of its users. Whenever a user deposits assets, it issues to the user a number of shares such that the proportion of the user's shares over the total issued shares is equal to the user's assets over the total withdrawable assets. This allows assets gained by EnFi4626 to increase the value of every user's shares in a proportional way.

ERC-4626 vaults are susceptible to inflation attacks; an attacker can "donate" funds to the vault without depositing them, increasing the value of a share unexpectedly. In some circumstances, including when an unsuspecting user is the first depositor, an attacker can make back more than they donated, stealing value from the first depositor.

Impact

The attack works as follows:

  1. The benign user submits a deposit transaction to the vault, depositing 1,000 coins.

  1. Before the deposit transaction is mined, an attacker front-runs it with an earlier transaction, which deposits 0.000001 coins and then donates 1,000 coins to the vault. After this, the attacker has one share and the vault has 1,000.000001 coins.

  1. Then, the user's deposit transaction is mined. After the user's deposit, the vault has 2,000.000001 coins, of which 1,000 was just deposited by the user. Since shares are now worth 1,000.0000005 coins after the attacker's front-run transactions, the user is given less than one share, which the vault rounds to zero.

  1. Finally, the attacker, with their one share that represents all the issued shares, withdraws all of the assets, stealing the benign user's coins.

Recommendations

Please see Github issue #3706 in OpenZeppelin for discussion about how to mitigate this vulnerability.

In short, the first deposit to a new vault could be made by a trusted admin during vault construction to ensure that totalSupply remains greater than zero. However, this remediation has the drawback that this deposit is essentially locked, and it needs to be high enough relative to the first few legitimate deposits such that front-running them is unprofitable. Even if this prevents the attack from being profitable, an attacker can still grief legitimate deposits with donations, making the user gain less shares than they should have gained.

Another solution is to track totalAssets internally by recording the assets gained through its Market positions and not increasing it when donations occur. This makes the attack significantly harder, since the attacker would have to donate funds by affecting price feeds for the underlying assets rather than just sending tokens to the vault.

Alternatively, an ERC-4626 router can be used. This, however, will consume more gas for any of the performed operations. Additionally, it introduces a new potential attack vector, as the router will have to be trusted to perform the operations correctly.

Remediation

The Nukem Loans team acknowledged this issue and have decided to supply seed liquidity necessary to prevent the attack.

Zellic © 2024Back to top ↑