steadyman - Prices can be forced up or down

[sherlock-admin3]

steadyman

High

Prices can be forced up or down

Summary

An attacker can execute a large number of swapIn (amountIn is very small, toekIn is stableToken) transactions to make swapIn stableToken and swapOut reserveToken impossible, and when other swaps occur, the price of stableToken will increase.

Root Cause

When tradingLimitState is updated, if _deltaFlow is very small, the calculation of _deltaFlowUnits will be 0 due to the trade-off problem. At this time, deltaFlowUnits will be counted as 1 (tokenIn), so an attacker can use 1 tokenIn to increase netflow.

https://github.com/sherlock-audit/2024-10-mento-update/blob/main/mento-core/contracts/libraries/TradingLimits.sol#L124

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

An attacker can execute a large number of swapIn (amountIn is very small, toekIn is stableToken) transactions to make swapIn stableToken and swapOut reserveToken impossible, and when other swaps occur, the price of stableToken will increase.The reason why the stableToken price rises is that the attacker swaps very little stableToken, while the user swaps out a lot of stableToken. At this time, the attacker can continue to execute a large number of swapIn transactions (amountIn is small, tokenIn is a stableToken) to make the price continue to rise or execute normal swaps for arbitrage.

Impact

Lp pool j will be completely destroyed

PoC

No response

Mitigation

Set the AMOUNT_MIN variable

+ uint256 public AMOUNT_MIN;

  /// @inheritdoc IBroker
  function swapIn(
    address exchangeProvider,
    bytes32 exchangeId,
    address tokenIn,
    address tokenOut,
    uint256 amountIn,
    uint256 amountOutMin
  ) external nonReentrant returns (uint256 amountOut) {
+ require(AMOUNT_MIN < amountIn);
    require(isExchangeProvider[exchangeProvider], "ExchangeProvider does not exist");
    // slither-disable-next-line reentrancy-benign
    amountOut = IExchangeProvider(exchangeProvider).swapIn(exchangeId, tokenIn, tokenOut, amountIn);
    require(amountOut >= amountOutMin, "amountOutMin not met");
    guardTradingLimits(exchangeId, tokenIn, amountIn, tokenOut, amountOut);

    address reserve = exchangeReserve[exchangeProvider];
    transferIn(payable(msg.sender), tokenIn, amountIn, reserve);
    transferOut(payable(msg.sender), tokenOut, amountOut, reserve);
    emit Swap(exchangeProvider, exchangeId, msg.sender, tokenIn, tokenOut, amountIn, amountOut);
  }

  /// @inheritdoc IBroker
  function swapOut(
    address exchangeProvider,
    bytes32 exchangeId,
    address tokenIn,
    address tokenOut,
    uint256 amountOut,
    uint256 amountInMax
  ) external nonReentrant returns (uint256 amountIn) {
+ require(AMOUNT_MIN < amountOut);
    require(isExchangeProvider[exchangeProvider], "ExchangeProvider does not exist");
    // slither-disable-next-line reentrancy-benign
    amountIn = IExchangeProvider(exchangeProvider).swapOut(exchangeId, tokenIn, tokenOut, amountOut);
    require(amountIn <= amountInMax, "amountInMax exceeded");
    guardTradingLimits(exchangeId, tokenIn, amountIn, tokenOut, amountOut);

    address reserve = exchangeReserve[exchangeProvider];
    transferIn(payable(msg.sender), tokenIn, amountIn, reserve);
    transferOut(payable(msg.sender), tokenOut, amountOut, reserve);
    emit Swap(exchangeProvider, exchangeId, msg.sender, tokenIn, tokenOut, amountIn, amountOut);
  }