Open code423n4 opened 2 years ago
In lack of poc, will downgrade to non critical
I fully agree with the warden recommendation however Additionally, as they already identified in #177 in lack of a list of supported tokens, the protocol is implicitly supporting ANY token
Handle
0xRajeev
Vulnerability details
Impact
The protocol allows using of arbitrary tokens in baskets without an initial time-bounded whitelist of tokens or global pause/unpause functionality. This is a risky design because if there are latent protocol vulnerabilities there is no fallback option.
While it acknowledges in the README that: “The protocol is designed for standard ERC20 tokens, it is not currently concerned with the potential effects of rebasing or non-standard ERC20 implementations” this does not prevent publishers from intentionally/accidentally using non-standard ERC20 tokens which will affect them and users.
Proof of Concept
https://github.com/code-423n4/2021-09-defiProtocol/blob/main/README.md#info
Tools Used
Manual Analysis
Recommended Mitigation Steps
Strongly consider a time-bound guarded launch approach with whitelisted tokens, emergency circuit breakers (Pausable) and emergency withdrawal functions.