Immunefi report payout - Malicious users will steal LP shares cross‑pool from liquidity‑mining depositors

We have received a report via Hydration Immunefi bug bounty programme, labeled as "Critical", titled "Malicious users will steal LP shares cross‑pool from liquidity-mining depositors".

Immunefi report summary:

A confused‑deputy / cross‑pool unlock in the withdrawal path will cause a direct loss of LP shares for LPs whose shares are locked in the pallet account as an attacker will pass a forged asset_pair to withdraw_shares so that the pallet unlocks the wrong LP token (from a richer pool) and transfers it to the attacker.

We evaluated the report and acknowledged the severity of the vulnerability. The Technical Committee paused share withdrawals from XYK liquidity mining and performed a runtime upgrade with a fix. After the upgrade, the Technical Committee unpaused the share withdrawals and restored the full functionality of XYK liquidity mining.

The vulnerability

The root cause of the vulnerability was the missing validation of the AssetPair provided by the user. In XYK liquidity mining, the AssetPair is used to derive the amm_pool_id, which identifies the AMM pool and determines which LP shares to unlock.

The fix

We added a cross-check between the amm_pool_id derived from the AssetPair and the amm_pool_id saved in the deposit.

ensure!(amm_pool_id == deposit.amm_pool_id, Error::<T, I>::AmmPoolIdMismatch);

https://github.com/galacticcouncil/hydration-node/commit/2fb7430d615c4c50a6905c8218b01649423714f7

Economic assessment

At the time of the report, there were 2 XYK pools with farms running, this would make this attack possible to perform. The attacker would need to accrue "lower valued shares" from DOT<>MYTH pair and join LM to be able to extract "higher valued shares of DOT<>EWT". By doing so, he would lock these shares forever.

There is roughly 200k$ worth of DOT <> EWT in LM. We have calculated that an attacker would need to accrue roughly 40k$ worth of DOT <> MYTH to empty DOT <> EWT pool not considering the slippage and other problems attacker would face with low liquidity pools, it is safe to say the total NET extracted value would be under 200k$.

As such, minimum payout for “Critical” issue is 20k$ under our Immunefi bug bounty programme paid out in HDX with 7 day EMA price of 0.0088