The variable `fShareRatio` is vulnerable to manipulation by flash minting and burning

[code423n4]

Handle

shw

Vulnerability details

Impact

The variable fShareRatio in the function purchaseMembership of contract FSDNetwork is vulnerable to manipulation by flash minting and burning, which could affect several critical logics, such as the check of enough capital in the pool (line 139-142) and the staking rewards (line 179-182).

Proof of Concept

The fShareRatio is calculated (line 136) by:

(fsd.getReserveBalance() - totalOpenRequests).mul(1 ether) / fShare;

where fsd.getReserveBalance() can be significantly increased by a user minting a large amount of FSD tokens with flash loans. In that case, the increased fShareRatio could affect the function purchaseMembership results. For example, the user could purchase the membership even if the fShareRatio is < 100% previously, or the user could earn more staking rewards than before to reduce the membership fees. Although performing flash minting and burning might not be profitable overall since a 3.5% tribute fee is required when burning FSD tokens, it is still important to be aware of the possible manipulation of fShareRatio.

Referenced code: FSDNetwork.sol#L134-L142 FSDNetwork.sol#L178-L182

Recommended Mitigation Steps

Force users to wait for (at least) a block to prevent flash minting and burning.

[fairside-core]

I believe this to be a minor (1) or none (0) severity issue given that the manipulation of fShareRatio is unsustainable due to the fee and the example given is actually not possible. If I affect fShareRatio to go above 100% to purchase a membership, I will be unable to burn the necessary FSD to go below 100% again as burning is disabled when the ratio is or would go to below 100%.

[fairside-core]

Fixed in PR#2.

[cemozerr]

Labeling this as low risk as 3.5% tribute fee makes it very unlikely that these flash minting will be profitable.