This repository has been archived by the owner on Jan 21, 2024. It is now read-only.
0xTheC0der - Insufficient validation of auction execution price adapter config data #24
Labels
Excluded
Excluded by the judge without consulting the protocol or the senior
Non-Reward
This issue will not receive a payout
0xTheC0der
medium
Insufficient validation of auction execution price adapter config data
Summary
Mismatching auction execution price adapter config data is successfully validated, leading to unintended price curves and subsequent failure of the bidding process.
Vulnerability Detail
When starting a new rebalance auction via AuctionRebalanceModuleV1.startRebalance(...), all the provided auction execution parameters are validated using AuctionRebalanceModuleV1._validateAuctionExecutionPriceParams(...). This method retrieves a specified price adapter by name and subsequently uses its IAuctionPriceAdapterV1.isPriceAdapterConfigDataValid(...) method to validate the provided price config data.
However, there are many cases where IAuctionPriceAdapterV1.isPriceAdapterConfigDataValid(...) returns
true
even when provided with config data from a different adapter, since this method does not perform a length check of the provided data bytes nor does the data contain any sort price adapter identifier. Also the AuctionRebalanceModuleV1._validateAuctionExecutionPriceParams(...) method cannot check if the provided config data matches the price adapter.For example:
true
when provided with config data for any other price adapter due to missing length check of the supplied config bytes.areParamsValid(...)
check as BoundedStepwiseLogarithmicPriceAdapter.isPriceAdapterConfigDataValid(...), therefore exponential/logarithmic config data can be mixed up among these two price adapters while the validation will always returntrue
since the config bytes do not contain any sort of identifier.Impact
The explicit price adapter config data validation is insufficient as soon as multiple price adapters come into play and therefore fails to prevent misconfiguration before pricing issues arise during the subsequent bidding process. Such a misconfiguration going unnoticed can lead to unintended price curves that therefore incur losses for the bidders or simply disincentivize bidders from helping to rebalance.
Furthermore, it's worth to mention that even the original test cases contain such an unnoticed misconfiguration (see comments in PoC code) which emphasizes the severity and likelihood of this issue.
Code Snippet
The following PoC modifies existing test cases to demonstrate the aforementioned example issues. Just apply the diff below and run the test with
npx hardhat test test/protocol/modules/v1/auctionRebalanceModuleV1.spec.ts
.Log:
The test cases show that the misconfiguration goes completely unnoticed in AuctionRebalanceModuleV1.startRebalance(...), even most of the bidding process runs successfully.
Tool used
Manual Review
Recommendation
Check the length of the provided config data bytes in the respective IAuctionPriceAdapterV1.isPriceAdapterConfigDataValid(...) methods and add a price adapter identifier (e.g. first 4 bytes of namehash) to the config data in order to prevent successful validation of mismatching data.
Alternative: In case the current validation behaviour is intended and the
SetToken
manager is trusted to always provide correct config data, the validation method can be removed from the contract to save gas.The text was updated successfully, but these errors were encountered: