Open code423n4 opened 3 years ago
Although this is true, the attacker is not benefiting from any gain. They are only minting extra synths into the synthVault into their weight. It is no different to - minting and then staking into the vault.
@verifyfirst in my opinion this one should be confirmed and the recommended mitigation also makes sense; any attempt to send in BASE by a bad actor can be attributed to the existing LPers instead
Handle
cmichel
Vulnerability details
Vulnerability Details
The
SynthVault.harvestSingle
function can be used to mint & deposit synths without using a lockup. An attacker sendsBASE
tokens to the pool and then callsharvestSingle
. The inneriPOOL(_poolOUT).mintSynth(synth, address(this));
call will mint synth tokens to the vault based on the totalBASE
balance sent to the pool, including the attacker's previous transfer. They are then credited the entire amount to theirweight
.This essentially acts as a (mint +) deposit without a lock-up period.
Recommended Mitigation Steps
Sync the pool before sending
BASE
to it throughiRESERVE(_DAO().RESERVE()).grantFunds(reward, _poolOUT);
such that any previousBASE
transfer is wasted. This way only the actual reward's weight is increased.