frank-beard
commented
2 years ago not an exploit
Open code423n4 opened 2 years ago
frank-beard
commented
2 years ago not an exploit
GalloDaSballo
commented
2 years ago I appreciate the consideration from the warden
Factually they state that given certain conditions, rebalancing will be expensive for most users
However there is a lack of clear examples / math, and as the sponsor says, this is not an exploit.
I'll downgrade to non-critical because I appreciate the warden input, however this is outside the scope of the security audit. At the same time the sponsor should definitely consider the real world implication of the math the warden mentioned
Handle
goatbug
Vulnerability details
Impact
This economic impact describes how the protocol will be unable to scale for large portfolios (i.e. a pool of capital of say >$10m).
The BonDiv is set to 400 and constant across all portfolios.
This in essence ensure that someone requires 0.25% of the portfolio in order to perform a re-balance.
In traditional finance it is impossible to assume a single actor will have 0.25% of the entire portfolio capital to be able to perform a re-balance.
In any case, this means that a very small select few of individuals, may have enough bond (0.25% of the portfolio) to be able to actually re-balance the portfolio.
The BondDiv should accordingly scale according to the size ($ value) of the portfolio) in question.
Since the system will likely have users create portfolio's that garner different values, it makes no sense to have a global bondDiv that is consistent across all pools.
Some pools the bondDiv should be say 50 (a small pool), while in larger pools, the bond div should be around 1000 for example.
This is important to avoid Ddos attacks as will be described in the next issue.
Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
Tools Used
Recommended Mitigation Steps