Full Report
The author first links a thread about a weird bug pattern in AMMs. A simple lending protocol will have fees distributed prorata. These vaults have the underlying asset in it and then shares of the pool. Depending on when you got in and how much you gave to the protocol, the more shares you will get. The algorithm for the shares being minted is amount * totalSupply/ totalAssets, where the division goes down. When the value of amount * totalSupply is less than total assets, then it will round down to 0. If totalSupply is 1 and totalAssets is 2, with a user deposits a single amount, then the amount of totalSupply is kept at 0 but the totalAssets goes up by 1. By doing this over and over again, the function will increase by 2x. In an example of this exploit comes from MIM protocol to steal 6M. They performed this attack on an active pool by...TODO...
Analysis Summary
# Vulnerability: Share Calculation Foundation Flaw (Inflation Attack) in SovrynBTC
## CVE Details
- **CVE ID**: N/A (Standard for many DeFi/Smart Contract vulnerabilities reported via bug bounties)
- **CVSS Score**: Estimated 7.5 (High) - based on potential for total loss of user funds.
- **CWE**: CWE-682 (Incorrect Calculation), CWE-190 (Integer Overflow or Wraparound / Precision Loss)
## Affected Systems
- **Products**: SovrynBTC lending/vault protocols
- **Versions**: Codebase active prior to June 20, 2024
- **Configurations**: Liquidity pools or vaults using the standard `amount * totalSupply / totalAssets` formula for share distribution without "virtual shares" or minimum liquidity protections.
## Vulnerability Description
The flaw is a classic **Inflation Attack** (also known as a "Donation Attack") common in vault-based AMMs. The protocol calculates the number of shares to mint for a depositor using the formula:
`shares = amount * totalSupply / totalAssets`
Because Solidity performs integer division and rounds down, an attacker can manipulate the ratio by:
1. **Direct Donation:** Sending a large amount of the underlying asset directly to the vault contract (increasing `totalAssets`) without calling the deposit function (keeping `totalSupply` low).
2. **Precision Loss:** When a legitimate user deposits, if the value of `amount * totalSupply` is smaller than `totalAssets`, the division results in **0 shares** being minted to the user.
3. **Asset Theft:** While the user receives 0 shares, their deposited assets are still added to the vault’s `totalAssets`, effectively increasing the value of the attacker's pre-existing shares.
## Exploitation
- **Status**: PoC discovered and submitted via Immunefi; patched before malicious exploitation. Similar patterns were used in the $6M MIM (Magic Internet Money) exploit.
- **Complexity**: Medium (Requires precise calculation of donation amounts).
- **Attack Vector**: Network (Smart Contract Interaction).
## Impact
- **Confidentiality**: None
- **Integrity**: High (User receives fewer/no shares for their deposit)
- **Availability**: High (Loss of funds for depositors)
## Remediation
### Patches
- The SovrynBTC team addressed the issue following the disclosure on June 20, 2024. Users should ensure they are interacting with the updated contract versions deployed post-disclosure.
### Workarounds
- **Virtual Shares:** Implement "virtual shares" (initial 10^3 shares sent to a burn address) to make the cost of rounding-down attacks prohibitively expensive.
- **Internal Balances:** Use an internal bookkeeping variable for `totalAssets` rather than relying on `balanceOf(address(this))`, which prevents "donation" manipulation.
- **Slippage Checks:** Users should implement `minSharesOut` parameters on their deposits.
## Detection
- **Indicators of Compromise**: Small `totalSupply` coupled with a disproportionately large `totalAssets` balance in a vault.
- **Detection methods**: Monitoring for `Transfer` events to a vault address that are not accompanied by a corresponding `Deposit` or `Mint` event.
## References
- **Original Disclosure Thread**: hxxps://x[.]com/gandu_whitehat/status/1803794103248806223
- **Platform**: hxxps://immunefi[.]com/
- **Vendor**: hxxps://x[.]com/SovrynBTC