ChainLight Patch Thursday - #Astroport's Governance DoS!

Author: ChainLight

ChainLight Patch Thursday - The first week of June!

Do you know when round-down occurs in smart contracts? Recently, there have been many cases where round-down has caused problems, resulting in bugs that can inflate the value of tokens (also known as token inflation attacks) in DeFi. We discovered a bug related to this issue at @astroport_fi and reported it through @Immunefi. As a result, the Astroport team has applied a patch to address it.

Bug Description

When the Staking.rs contract is in the initial state, or all liquidity is removed, an attacker can deflate the $xASTRO token and break the staking functionality for everyone.

Scenario

Consider the following attack scenario:

1. Stake 1wei of $ASTRO to the Staking.rs contract and receive 1wei of $xASTRO.

2. Transfer the maximum available $ASTRO that the attacker can get to the Staking.rs contract.

Any staking attempt after the attack will fail (the mint amount will be zero) unless they are willing to stake more $ASTRO than that attacker had.

Fortunately, Astroport reverts when the mint quantity is 0. If a revert does not happen, there is a possibility that the tokens may be drained from subsequent liquidity providers.

The reason why mint quantity becomes 0 is that the amount of $xASTRO minted in the staking pool follows the formula (amount_to_stake * x_token_total_supply) / total_staked_amount and the attacker's "donation" would increase the total_staked_amount significantly compared to the supply of $xASTRO.

Detailed Impact

The attacker can become the only holder of $xASTRO if they launch the exploit with a significant amount of $ASTRO tokens.

And it may lead to more severe consequences, such as the attacker monopolizing the voting power and thus controlling the outcome of a governance proposal vote since $xASTRO is used to calculate voting power in Astroport's governance system.

This vulnerability arises due to the absence of a minimum liquidity requirement, which can result in round-down issues. Such round-down issues (e.g., token inflation attacks) can occur not only in DEX or lending protocols but also in governance tokens. These issues were particularly significant in the case of Astroport.

Although Astroport, the DEX, has implemented safeguards against bugs that may arise from the lack of a minimum liquidity variable in LP pools, the discovery of such vulnerabilities highlights the need to consider the possibility of similar occurrences in the governance token creation pool.

Solution

The solution is simple. During the initial liquidity provision, restrict the minimum liquidity supply amount (MINIMUM_LIQUIDITY) and send the corresponding LP token issuance to a dead address.

This solution is adopted in #Uniswap V2 and is also mentioned in the Uniswap V2 whitepaper, specifically in the "3.4 Initialization of liquidity token supply" section.

While triggering this attack is currently difficult, it is an important example that round-down issues can arise unexpectedly. You can check the patch that Astroport implemented here.