Skip to content

Latest commit

 

History

History
44 lines (24 loc) · 2.62 KB

084.md

File metadata and controls

44 lines (24 loc) · 2.62 KB

Loud Mocha Platypus

High

Malicious users can steal all incentives offered in DebitaIncentives.sol

Summary

Malicious user can lend and borrow to themselves to create fake volume, while only paying the small protocol fees, to grab all the incentives offered for any epoch and any token.

Because incentive token payouts are based purely on volume and monetary flow of a user matching offers, malicious user can abuse this to steal nearly all incentives all the time, with only paying fees, which would be far less than the incentive tokens are worth.

This is worse than traditional bot airdrop/incentive/points farming, because there's complete freedom to abuse it ubiquitously to the absolute maximum with no checks or restrictions.

Root Cause

See summary.

Internal pre-conditions

See summary.

External pre-conditions

See summary.

Attack Path

  1. Projects or users can fund the incentive contract via incentivizePair(). This loads up essentially a "pool" of funds in the state variables lentIncentivesPerTokenPerEpoch and borrowedIncentivesPerTokenPerEpoch. So when a user borrows or lends some non-zero value, they will get credited in relation to these incentives which have been donated.
  2. When offers end up matching inside MatchOfferV3(), the updateFunds() function is called, which credits the lender and the borrower based on the principle amount, and also increments the totalUsedTokenPerEpoch. This total is used to track the total activity associated with the incentives offered for the epoch and token.
  3. User can spam back and forth with themselves to create borrow and lend offers that match, call MatchOfferV3(), and this will increase their lent and borrowed amounts along with the total.
  4. For example, they could do 1000 matched offers where each offer is 100 principle amount, leading to 100,000 for their LENT, BORROWED, and the TOTAL tracked values for the incentive. If non-malicious activity was only 10,000 out of the 100,000 for that epoch and token, then the malicious user's essentially stole 90% of the incentive rewards from normal users for free. All they have to do is pay the fees.

Impact

Theft of all incentives through spammed matching of offers.

PoC

None.

Mitigation

Limit the amount of incentives that can be earned through raw volume. Consider approaches that minimize 'airdrop farming' kind of techniques.