Post-Mortem Report: Precision Error for Actions in Integral SIZE

Summary

A potential vulnerability was identified in the Integral protocol via our Immunefi bounty program. The flaw involved an exploit in the deposit function which allowed an attacker to initialize the total shares of a LP position to a small integer and then directly transfer funds to the contract. This in turn could lead to a rounding error when a legitimate user attempted to deposit funds, effectively decreasing the user’s share to the amount transferred by the attacker. We did not observe the exploit active in production and we have since deployed a patch and the system is back to running as normal. No user funds were lost.

Key Issue

The core problem was a lack of precision for total shares when an initial deposit was of a relatively small amount. This vulnerability enabled an attacker to attempt to force a victim deposit or enqueued trading shares to round down to nearly zero or have substantial rounding errors that biased the accounting of funds in favor of the attacker.

The attacker could only exploit this vulnerability by front-running a victim’s order and stealing the amount the victim intended to swap or deposit for.

The attack vector was as follows:

  1. Attacker sends 1e-6 USDC (0.000001 USD worth) to the TwapDelay contract and it gets enqueued.
  2. At this point the totalShares in the enqueue system is 1 (integer). This is the minimum integer.
  3. Another user (the victim) sends an order to swap 1,000 USDC (1k USD) for WETH.
  4. The attacker sees the order, and front-runs it by sending an amount an order of magnitude similar to or higher, to the TwapDelay contract. In this example, the attacker would send 1,000 UDSC.
  5. At this point, total share (newShares) in the system are 1 * (1,000e6 + 1,000e6 + 1) / (1,000e6 + 1) = 1. Note that the answer would be 1.99999 without truncation or integer limitation but due to truncation, the newShares would still be 1.

Victim’s Share = newShares – totalShares = 1 – 1 = 0

Hacker’s Share = totalShares – victim’s Shares = 1 – 0 = 1 6. The attacker would end with 2,000 USDC worth of order to swap to WETH if there is no revert. If there is a revert at the pool level, the hacker would receive the refund of 2,000 USDC and the victim would receive 0 USDC refund.

The funds at risk were those currently enqueued in the delay before execution. As a result, the attack was only relevant to future swaps or deposits of user funds. Deposits, sell, and buy and atomic swap orders from users were all at risk during this vulnerability. The funds already within the pool were not under threat.

Solution

To address the vulnerability, the Integral team deployed a fix which implemented a minimum precision amount, thus preventing such significant rounding errors. This solution ensures that the total shares can’t be manipulated by small initial deposits and transfers.

As an immediate response upon receipt and confirmation of the Immunefi submission, the system was switched to withdrawal-only mode to prevent any exploitation. The fix was subsequently deployed on both the mainnet and Arbitrum versions.

Timeline of Events

July 10 – Received Immunefi report

July 10 – Confirmed and system set to withdraw only

July 11 – Patch developed and deployed

July 11 – trading and deposits turned back on and system returned to normal

Current Status

The system has now resumed regular operation following the implementation of the fix. The patch’s deployment protects users’ deposits, sell and buy orders from being exploited.

The report serves as a reminder of the critical role of community participation in ensuring the safety of DeFi protocols. The Integral team thanks the Immunefi community for their vigilance and support in identifying and addressing this vulnerability. We reiterate our commitment to providing a secure environment for all users.

The Integral team appreciates all efforts aimed at making DeFi safer and more reliable.

Tags

Integral Insights

Business

April 1st, 2024

Integral Insights March ‘24

We achieved several important milestones, including a new all-time-high daily volume for Arbitrum and the addition of four new pools on the Ethereum mainnet.

Updates

March 4th, 2024

Integral Insights February ‘24

Another milestone was reached on February 21st when Integral processed over $2 billion in cumulative volume.

Updates

February 1st, 2024

Integral Insights: January ‘24

Our initial launch with the ETH-RPL pool was a success, quickly elevating us to the second most utilized liquidity pool for this pair’s trading.

Research

January 17th, 2024

Is Liquidity Fragmentation Really That Bad?

When the token evolves into a store of value, it attracts outside traders, focusing on trading costs and slippage. This is when concentrated liquidity truly shines.

Updates

January 2nd, 2024

2023 Review

At Integral, our focus remains on developing a sustainable product for on-chain trading, serving both traders and liquidity providers.

Updates

December 12th, 2023

Integral Now Rewards Liquidity Providers with Trading Fees on Ethereum Mainnet

This enhancement enables liquidity providers (LPs) to directly receive a portion or all trading fees from Integral pools.

Updates

December 6th, 2023

Integral Insights: November ‘23

During November, Integral processed an average of approximately 6 million in volume with around 1.5 million in TVL. The system’s overall capital utilization sits at around 350%. It is the 10th most used DEX on Ethereum.

Updates

November 28th, 2023

Integral Now Rewards Liquidity Providers with Trading Fees

This enhancement enables liquidity providers (LPs) to directly receive a portion or all trading fees from Integral pools.

Research

November 15th, 2023

How Do University Blockchain Societies Gain So Many Votes?

Explore how university blockchain societies like FranklinDAO and Michigan Blockchain have grown into influential players in DAO governance, utilizing delegated votes and strategic partnerships to shape the future of DeFi protocols like Uniswap, Compound, and Aave.

Updates

November 6th, 2023

Integral Insight: October ‘23

We give an update for our work in October and highlight a profitable LP position from a long-term user.

Research

October 26th, 2023

Understanding the Stakes in Lido’s Growing Share of Staked ETH

The community is arguing whether a protocol may have too much control over the Ethereum network. Lido controls a large percentage of staked ETH, which could have consequences for the network’s future security and neutrality.

News

October 14th, 2023

Changes to Staking and Farming

Looking back at our progress so far and to the future with new updates to staking and farming.

Updates

October 11th, 2023

Integral Insight: September ‘23

We give an update for our work in September with utilization going up on higher volume for our new pools.

Research

October 11th, 2023

The Hottest Narratives of the Summer

What were the hottest narratives of the summer? Our DeFi research team delves into the growth of trading bots, RFV traders and more in this overview.

Research

October 2nd, 2023

Uniswap Governance: A Deep Dive

Governance is considered a critical component for the decentralization and community-driven development of DeFi protocols. We take a look at one of the largest goverance ecostystems in DeFi, Uniswap. In this blog post, we'll discuss the landscape of Uniswap's governance, pulling data from empirical research to dissect the system's delegates and proposals, revealing some interesting findings.

Research

September 19th, 2023

What is the DAI Savings Rate (DSR)?

Our research team takes a look at the DAI Savings Rate and its influence on various yield dynamics in DeFi.

Updates

September 15th, 2023

Integral Insight: August ‘23

We give an update for our work in August with cheaper gas fees and the launch of the Integral Relayer on Arbitrum!

Product

September 7th, 2023

Integral Relayer Launches on Arbitrum

We are excited to announce the launch of the Atomic Relayer on Arbitrum. This will bring the efficient and tested system for atomic trades to the Arbitrum Layer 2 network!

Research

August 26th, 2023

How CRV Got Sold OTC

In this post we cover how the Curve founder sold large amounts of CRV in over-the-counter trades in order to prevent a potentially catastrophic liquidation event in DeFi.

News

August 18th, 2023

Integral Insight: July '23

Sharing our progress in July: preparations for atomic swaps on Arbitrum, trading SIZE with lower gas fees and more.