SynthVault deposit lockup bypass

[code423n4]

Handle

cmichel

Vulnerability details

Vulnerability Details

The SynthVault.harvestSingle function can be used to mint & deposit synths without using a lockup. An attacker sends BASE tokens to the pool and then calls harvestSingle. The inner iPOOL(_poolOUT).mintSynth(synth, address(this)); call will mint synth tokens to the vault based on the total BASE balance sent to the pool, including the attacker's previous transfer. They are then credited the entire amount to their weight.

This essentially acts as a (mint +) deposit without a lock-up period.

Recommended Mitigation Steps

Sync the pool before sending BASE to it through iRESERVE(_DAO().RESERVE()).grantFunds(reward, _poolOUT); such that any previous BASE transfer is wasted. This way only the actual reward's weight is increased.

[verifyfirst]

Although this is true, the attacker is not benefiting from any gain. They are only minting extra synths into the synthVault into their weight. It is no different to - minting and then staking into the vault.

[SamusElderg]

@verifyfirst in my opinion this one should be confirmed and the recommended mitigation also makes sense; any attempt to send in BASE by a bad actor can be attributed to the existing LPers instead