Reentrancy in closeLeverageStrategy() can manipulate the cNumaToken exchange rate

Summary

Reentrancy in closeLeverageStrategy() can be used to steal a large number of funds from the vault.

Root Cause

In closeLeverageStrategy(), the _collateral token parameter is not enforced to be cNuma or cLst , allowing a maliciously crafted contract to be passed in.

Flashloan repayment can be avoided by re-entering and calling closeLeverageStrategy() with a tiny amount, which updates leverageDebt to a small value.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

There are many ways to exploit this to steal vault funds.

One way:

When we bypass the flash loan as explained in 'Root Cause', we force the underlying tokens to be transferred to the cToken. This increases the return value of getCashPrior() which increases the exchange rate.

We can use a flash loan to mint cTokens -> do the exploit (which increases exchange rate) -> then redeem underlying tokens, effectively stealing the flash borrowed funds from the vault.

PoC

No response

Mitigation

No response

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

096.md

096.md

Reentrancy in closeLeverageStrategy() can manipulate the cNumaToken exchange rate

Summary

Root Cause

Internal pre-conditions

External pre-conditions

Attack Path

Impact

PoC

Mitigation

Files

096.md

Latest commit

History

096.md

File metadata and controls

Reentrancy in closeLeverageStrategy() can manipulate the cNumaToken exchange rate

Summary

Root Cause

Internal pre-conditions

External pre-conditions

Attack Path

Impact

PoC

Mitigation