Update to Recent Vulnerability Report: the Post Mortem

TL; DR: On July 31st, the core team was notified with a number of possible potential exploits regarding in the Integral SIZE system that would have allowed a malicious actor to profit in specific trading situations by taking favorable TWAP trades against SIZE LPs. While we did not identify any exploits of the bug, we had paused contracts out of caution.

After weeks of hard work, the vulnerability has been fixed. At the time of publication, trading, deposit, and withdrawal have all been resumed on SIZE. Farming reward will be resumed from September 26th, 2022.

To use SIZE, please visit size.integral.link

Just over a month ago we paused trading on Integral SIZE in response to a potential vulnerability in the trading system. We have since updated our smart contract architecture to fix this vulnerability. Here is a brief post-mortem of the events and how we have responded to ensure the safety of user funds.

On July 31st we received a white hat report of a potential vulnerability in the Integral SIZE contracts via Immunefi. The vulnerability could allow an actor to observe TWAP pricing and carry out a near-riskless arbitrage by executing or cancelling trades to potentially profit at the expense of SIZE LPs.

While we determined the exploit had not been taken advantage of, we decided to pause trading on the protocol to fix the vulnerability. We have always had security as a prime concern and protecting our users and LPs was most important.

You can read more about the full details of the vulnerabilities in our previous post.

To address these, we fixed several issues with the Integral SIZE contracts:

Fixed issue that allowed executing orders only during favorable TWAP pricing

We closed a potential exploit in the execution of orders, where a user could submit an order that would fail by default due to a lack of funds in our reserves. If and only if they liked the price of the order towards the end of the TWAP duration, they could send a bit of dust into our system and cause the order to execute. This would allow them to get “free” optionality on future token prices.

To fix this potential exploit, we worked to eliminate “free” optionality. Now orders execute partially so that orders that require reserves greater than are available will execute up to our reserves and then refund the remainder.

Fixed issue that allowed increasing order size at the end of TWAP

We closed a potential exploit in our delay contract where we keep track of order amounts using a shares system to gracefully handle token rebasing. Before this, a user could submit an order into the system and if they were the only user that had tokens in the delay, they could arbitrarily increase the size of their order. So towards the end of the TWAP duration, if they liked the TWAP price, they could increase their order size. This is another example of “free” optionality on future prices.

To prevent people from manipulating their order sizes we record the actual value of their tokens in addition to their share of the pool. If during execution we notice their order size has increased, we will only execute up to the original value and refund the remainder.

Fixed issue with custom deposits

We closed a potential issue with custom deposits where some users might not be credited for funds they sent to the pool under very specific circumstances. If they submitted a custom deposit with swapping enabled and the initial deposit resulted in remainders in both token amounts, we would deposit token0 but ignore token1.

Now, we return the excess funds for the token amounts we cannot swap. We have also optimized the system to always try to maximize the amount of LP tokens depositors receive per order.

From the beginning, we have looked to protect user funds first. While the circumstances of this possible exploit made it difficult to use in practice, we have taken the cautious route and will be deploying a protocol even more secure and fair for LPs. While the potential exploit was never observed in production, we treat vulnerabilities and potential vulnerabilities seriously to protect LP funds. We also want SIZE to be fair to LPs and keep our promise of mean-zero impermanent loss. That’s why we have fixed this potential vulnerability and will continue to monitor for any potential exploits going forward.

Reach out to us over Discord or Twitter if you have any questions.