Arcadia’s Partnership with Pashov Group

Arcadia has partnered with Pashov and the Pashov Group team for our third security review of the Arcadia Protocol V2. The full report can be accessed here.

For more information on our first and second security audits, read here and here.

Why we chose to work with Pashov

• Almost singularly focus and with deep expertise in novel DeFi primitives. They have helped secure protocols like Tapioca, Redacted, Radiant, 1inch, Ethena, among others.
• Longstanding track record of excellence — More than $500M in TVL secured by Pashov group.
• Unmatched experience — Combined reported security vulnerabilities count of over 1000.

Note: Even after two previous audits conducted by two different tier 1 firms on the same scope, Pashov managed to still highlight relevant findings in the code.

The Scope

The scope includes a total 2.596 nsloc, comprising the Arcadia Accounts V2 repo and the Arcadia Lending V2 repo. Both repos comprise full coverage of the Arcadia V2 code.

• Arcadia Accounts V2: https://github.com/arcadia-finance/accounts-v2/commit/4f4057d4ebafb0fbf739cbf627ff397d0e569c19
• Arcadia Lending: https://github.com/arcadia-finance/lending-v2/commit/03f930c55094582cbb11ff25791a3e560bfa917c

Highlights

In this post we will highlight finding [M-02] Tranche share ratios can be manipulated by donating via liquidations

The manipulation of ERC4626 shares is a common attack vector found as the root cause of many recent exploits. Since mathematics in the EVM are using integers, small rounding effects can create significant impact within the accounting in smart contracts. In a manipulation of share ratios, an attacker mints a very low amount of shares (eg. 1 wei) on an ‘empty’ ERC4626 and subsequently donates assets to that ERC4626. The 1 wei of shares now represent a large amount of assets, for example, 1000 USDC. Should another user deposit a moderate amount of assets into the ERC4626, for example, 500 USDC, that user will not mint a single wei shares (1 wei shares per 1000 USDC), and thus the attacker receives the deposit of the subsequent user(s).

Arcadia Lending tranches are immune to share ratio manipulation through direct donations. However, the team at Pashov Group identified another way in how assets could be donated to the Tranche after a successful liquidation.

When an Account of a user goes into liquidation, it could occur that more assets from the Account are liquidated than the open debt of the Account. In such a scenario, the surplus of funds recovered through the liquidation belong not to the lending pool or liquidator, but to the original Account owner. If all debt has been recovered, it only makes sense to forward the surplus towards said Account owner.

Here’s a concrete example of the conditions that would have to be met in order for the situation outlined above to take place:

• A malicious Account owner transfers the ownership of the Account to a new, almost empty Tranche;
• A decrease in market prices causing a liquidation to be triggered;
• A surplus after the Account liquidation must exist which is sent to the Tranche;
• The attacker must still be the sole liquidity provider through that Tranche.

This surplus will eventually be sent to the Tranche, as it is now the owner of the Account. When such a situation could occur, this whole flow essentially results in a direct donation to an empty tranche.

Mitigation

Upon processing this finding, the team could proceed in two manners: Close up this flow of donation by preventing a Tranche to become owner of an Account, or alternatively, find a way to prevent any possible share ratio manipulation, including in scenarios that may not have been detected yet.

Taking the impact of share ratio manipulations very seriously, the team decided to go with the second option and introduced the concept of ‘virtual assets and shares’ in the Tranches. By doing so, the Tranche will add a non-insignificant amount of virtual assets and shares to its bookkeeping. This has the same effect as if a Tranche is never ‘empty’, since some amount of shares are present from the start. As a result, manipulating share ratios now becomes many orders of magnitude more expensive to perform.

This is the third audit of the protocol prior to launch. Arcadia places, and will continue to place, the highest priority on security. There’s a fourth audit + audit contest coming next.

To stay up to date with Arcadia, follow @ArcadiaFi on X and join the Discord.