Bald Cloud Pony
Medium
The use of the pool contract reserve token balance during endAuction opens a possibility for users to manipulate the pool balance and force auction closure with the preferred outcome.
In Auction.sol:341 there is a check of the pool balance of reserve token to not exceed poolSaleLimit:
Users can manipulate this condition by supplying or withdrawing a specific amount of reserve tokens according to their intent.
- The auction ended with enough coupon tokens accumulated from bids.
No response
- The auction is at the end of the bidding period and has accumulated enough coupon tokens to end successfully
- The levETH holder sees that the reserve token amount to be sent from the pool does not exceeds
poolSaleLimitthus auction will succeed - The levETH holder redeems their levETH thus decreasing the reserve token balance to the level to not pass
poolSaleLimit - The levETH holder calls
endAuction()and the auction ends with the stateState.FAILED_POOL_SALE_LIMIT - The levETH holder buys back their levETH tokens
Note that a similar attack can be executed in the opposite direction by bondETH holders, if they see it being profitable, to make poolSaleLimit check pass.
Incentives for the attack:
- Holders of bondETH are incentivized to end auctions with
State.SUCCEEDEDotherwise they will not receive coupon payments - Holders of levETH are incentivized to end auctions with
State.FAILED_POOL_SALE_LIMITto prevent coupon payments, as this decreases reserves and, thus, the levETH token price.
poolSaleLimitcan be bypassed jeopardizing the pool's financial health.- bondETH holders may not receive coupon payments while levETH holders unfairly benefit from holding reserves and levETH price unchanged.
- levETH holders may incur losses due to reserves (and thus levETH price) falling below expectations while bondETH holders unfairly benefit from the forced coupon distribution.
No response
One possible mitigation could be to introduce a cooldown period for creation and redemption of bondETH and levETH.