myctrl.tools

SC02Business Logic Vulnerabilities

>Control Description

Business logic vulnerabilities occur when a smart contract's intended economic or functional behavior can be undermined despite correct low-level checks. These represent design flaws in how system rules, incentives, state transitions, and invariants are implemented on-chain. Unlike low-level bugs (overflow, reentrancy), these arise when the rules themselves are unsafe — the code functions as written, but the rules permit exploitable outcomes. **Key Focus Areas:** - Invariant violations across modules (vault/strategy/gauge, collateral/debt, supply/backing) - Reward and fee logic (double-counting, under/over-accrual, wrong beneficiary) - Eligibility and limit checks that are bypassable or inconsistently enforced - Path-dependent state machines allowing manipulative action sequences - Cross-module and cross-chain assumptions (bridge liquidity, L2 finality, message ordering) **Exploitation Methods:** - Arbitrage between inconsistent accounting (vault vs. strategy, internal vs. external balance) - Order-of-operations edge cases (deposit/withdraw/claim sequences breaking invariants) - Eligibility bypasses (claiming rewards without stake, liquidating healthy positions) - Parameter manipulation creating economically irrational states

>Prevention & Mitigation Strategies

  1. 1.Model protocol economics explicitly using adversarial simulations and agent-based models rather than relying on intuition.
  2. 2.Express core invariants in code and tests, e.g., total value withdrawn cannot exceed total deposits + realized yield, rewards distribution is proportional to time-weighted stake.
  3. 3.Use formal verification and property-based fuzzing for key accounting paths (vaults, strategies, reward distribution).
  4. 4.Version and gate new strategies/spells: roll out behind caps, monitor metrics and on-chain invariants before raising limits.
  5. 5.Ensure governance and operations teams understand invariants, not just auditors.

>Attack Scenarios

#1Abracadabra (March 2025, $12.9M loss)

Flawed collateral accounting in GMX V2 CauldronV4 contracts enabled attackers to exploit broken economic invariants: (1) made a deposit into GMX designed to fail, leaving tokens stuck in OrderAgent, (2) self-liquidated their position causing the contract to erase the position but fail to remove the associated order and collateral, (3) used the ghost collateral to borrow 6,260 ETH (~$12.9M).

#2Yearn Finance (November 2025, $9M loss)

A design flaw in the yETH weighted stableswap pool's fixed-point iteration solver allowed attackers to force the solver into divergent behavior. Through highly imbalanced liquidity operations, they caused the product term to collapse to zero, converting the pool from a hybrid stableswap invariant to a constant-sum curve, enabling minting of approximately 2.35x10^56 yETH LP tokens without collateral.

>References

Ask AI

Configure your API key to use AI features.