frank-beard
commented
2 years ago this is possible however the ability for anyone to rebalance is important. we will look into possible solutions to mitigate this
Closed code423n4 closed 2 years ago
frank-beard
commented
2 years ago this is possible however the ability for anyone to rebalance is important. we will look into possible solutions to mitigate this
GalloDaSballo
commented
2 years ago Duplicate of #66
Handle
goatbug
Vulnerability details
Impact
Given a bondDiv of say 400, it requires 0.25% of a portfolios capital to perform a Ddos attack.
Portfolio rebalancing is often a time sensitive task. New weights need to be put into place to take advantage of shifts in capital market expectations etc.
Users can block rebalances by 48hrs, a sizeable window, through a relatively cheap DDoS of 0.25% of the portfolio, a relatively small size.
48hrs since, a 24hr timelock is required for a new proposal, and a 24hr bond arbitration period is required. A user simply watches the mempool and submits a bond proposal immediately to lock the contract in an auction phase.
A user could therefore block a market from any change for more than 196 hours (4*24) for the cost of 1%. 8 Days is often too slow for a portfolio to react and balance in crypto market conditions. This is annoying and another reason one needs to consider the bondDiv more carefully and scale it according to portfolio size.
One could consider simply allowing anyone to settle the auction. This removes the DDoS attack.
Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
Tools Used
Recommended Mitigation Steps