On May 9 we have received a bug report by a whitehat stating that there is an issue with pallet XYK liquidity mining allowing manipulation of price to gain bigger reward share than expected in one single batch transaction.
The attacker would increase the price of valued token (i.e. DOT) by selling MYTH to the pool, then enter the pool with his own liquidity with MYTH and DOT while also entering the farm at inflated price and then Arbing the pool back in the same batch to prevent value extraction.
While this was technically possible to do, the practicality of such attack in reality was 0. The only vulnerable pool at the moment was MYTH-DOT pool, the attack required large amount of capital in MYTH (and DOT) sourced outside of Hydration to be even close to profitable (upwards of million $) and would pay large amount of fees which would require attacker to stay in the pool for long period (weeks) of time to recover from the initial costs. This in reality makes it completely infeasible.
However, we acknowledge that this could be improved by similar way we protect Omnipool from these attacks - using oracle to price shares of a pool while entering it. Since this was not critical issue in practice and it was non-trivial fix, it took us longer time than our standard. By monitoring the MYTH pool we saw that there was no such manipulation happening in the real world.
As such we would like to award 5000$ in HDX at 7 day EMA of 0.00863 for Medium level runtime issue and would like to thank whitehats that help us secure the Hydration chain.
fix: https://github.com/galacticcouncil/hydration-node/pull/1153
in recent release: https://hydration.subsquare.io/referenda/144