0xf10A7_F10A7_f10A7_F10a7_F10A7_f10a7_F10A7_f10a7

[code423n4]

Handle

pauliax

Vulnerability details

Impact

The initial liquidity is minted to this address: /// @notice this is the address that permanently locked initial liquidity for markets is held by. /// These tokens will never move so market can never have zero liquidity on a side. /// @dev f10a7 spells float in hex - for fun - important part is that the private key for this address in not known. address public constant PERMANENT_INITIAL_LIQUIDITY_HOLDER = 0xf10A7_F10A7_f10A7_F10a7_F10A7_f10a7_F10A7_f10a7; While it is true that this address currently seems to have no signs of activity, there is still a theoretical chance it will be discovered in the future. Possible mitigation could be to forbid this sender in transfer functions of SyntheticToken.

Recommended Mitigation Steps

Add restrictions on transfers of synthetic tokens from PERMANENT_INITIAL_LIQUIDITY_HOLDER.

[JasoonS]

Not a realistic scenario, we may also find satoshi's private keys.

There is also basically no incentive for someone to find this private key, nor is it much of a problem if someone does. The markets only need initial liquidity initially. Once they are running, removing this isn't an issue.

[0xean]

Downgrading to 0, while not super realistic, also seems unreasonable to add code for "fun" that could one day (hopefully) be handling billions of dollars worth of users funds.