Open in app

Sign in

Write

Sign in

Patch Thursday — Token inflation Vulnerability at Astroport

ChainLight
ChainLight Blog & Research
Published in
3 min readJun 8, 2023

Designed by Aidar (Product Designer)

Author: wooz3k (Researcher at ChainLight), Wayne Kim (Technical Writer)

Introducing “ChainLight Patch Thursday”!

We posted this content on the ChainLight Twitter account on June 1st. If you want to view it on Twitter, click here!

What is Patch Thursday?

Patch Thursday is inspired by Patch Tuesday, when Microsoft regularly releases software patches. With Patch Thursday, ChainLight aims to unveil vulnerabilities and best practices in Web3 on a regular basis, just like Patch Tuesday. Starting this week, we will share the bugs and vulnerabilities we discovered through ChainLight Patch Thursday.

What is the first vulnerability that ChainLight Discloses?

Our first disclosure is Astroport’s Governance DoS!

Do you know when round-down occurs in smart contracts? Recently, there have been many cases where round-down has caused problems, resulting in bugs that can inflate the value of tokens (also known as token inflation attacks) in DeFi. We discovered a bug related to this issue at @astroport_fi and reported it through Immunefi. As a result, the Astroport team has applied a patch to address it.

Bug Description

When the Staking.rs contract is in the initial state or the entire liquidity is removed, an attacker can deflate the $xASTRO token and break the staking functionality for everyone.

Scenario: Consider the following attack scenario:

  1. Stake 1wei of $ASTRO to the Staking.rs contract and receive 1wei of $xASTRO.
  2. 2. Transfer the maximum available $ASTRO that the attacker can get to the Staking.rs contract.

Any staking attempt after the attack will fail (the mint amount will be zero) unless they are willing to stake more $ASTRO than that attacker had.

Fortunately, Astroport reverts when the mint quantity is 0. If a revert does not happen, there is a possibility that the tokens may be drained from subsequent liquidity providers.

The reason why mint quantity becomes 0 is that the amount of $xASTRO minted in the staking pool follows the formula (amount_to_stake * x_token_total_supply) / total_staked_amount and the attacker’s “donation” would increase the total_staked_amount significantly compared to the supply of $xASTRO.

Detailed Impact

The attacker can become the only holder of $xASTRO if they launch the exploit with a significant amount of $ASTRO tokens. And it may lead to more severe consequences, such as the attacker monopolizing the voting power and thus controlling the outcome of a governance proposal vote since $xASTRO is used to calculate voting power in Astroport’s governance system. This vulnerability arises due to the absence of a minimum liquidity requirement, which can result in round-down issues. Such round-down issues (e.g., token inflation attacks) can occur not only in DEX or lending protocols but also in governance tokens. These issues were particularly significant in the case of Astroport. Although Astroport, the DEX, has implemented safeguards against bugs that may arise from the lack of a minimum liquidity variable in LP pools, the discovery of such vulnerabilities highlights the need to consider the possibility of similar occurrences in the governance token creation pool.

Solution

The solution is simple. During the initial liquidity provision, restrict the minimum liquidity supply amount (MINIMUM_LIQUIDITY) and send the corresponding LP token issuance to a dead address. This solution is adopted in Uniswap V2 and is also mentioned in the Uniswap V2 whitepaper, specifically in the “3.4 Initialization of liquidity token supply” section. While triggering this attack is currently difficult, it is an important example that round-down issues can arise unexpectedly.

You can check the patch that Astroport implemented here: https://github.com/astroport-fi/astroport-core/commit/cc302a3d206eccb7c8d9b4fdf3384a3fd9d3678c

✨ We are ChainLight!

ChainLight explores new and effective blockchain security technologies with rich practical experience and deep technical understanding. Our innovative security audits built upon such research proactively identify and eliminate various security risks and vulnerabilities in the Web3 ecosystem. To ensure continuous security even after the audit, we provide a digital asset risk management solution using on-chain data monitoring and automated vulnerability detection services.

ChainLight serves to guide and protect all users of decentralized services, lighting the way for a safer Web3 ecosystem.

  • Want to see more from the ChainLight team? 👉 Check out our Twitter account.

🌐 Website: chainlight.io | 📩 TG: @chainlight | 📧 chainlight@theori.io

Blockchain
Web3
Vulnerability
Crypto
Patch Thursday

--

--

ChainLight
ChainLight Blog & Research

Written by ChainLight

216 Followers
Editor for

Established in 2016, ChainLight's award-winning experts provide tailored security solutions to fortify your smart contract and help you thrive on the blockchain

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams