frank-beard
commented
3 years ago this is intentional
Closed code423n4 closed 2 years ago
frank-beard
commented
3 years ago this is intentional
GalloDaSballo
commented
2 years ago The burn is part of the protocol, the burn is burning the shares of the basket, which means no external funds are lost. As per what the Sponsor says, this is intentional.
Personally am not fully sure who would put their own funds at risk (am assuming this is to motivate action similarly to Olympus Pro)
Handle
leastwood
Vulnerability details
Impact
An auction bonder has a single day's worth of blocks to call
settleAuction()and perform the necessary rebalance. In the event this does not happen, any user is able to callbondBurn()and have the bond burnt in its entirety. As a result, thebasketTokensused as a bond deposit are unable to be recovered by any user in the system and lead to wasted resources.Proof of Concept
https://github.com/code-423n4/2021-09-defiProtocol/blob/main/contracts/contracts/Auction.sol#L111-L124 https://github.com/code-423n4/2021-09-defiProtocol/blob/main/contracts/contracts/Basket.sol#L102-L108
Tools Used
Manual code review
Recommended Mitigation Steps
Ideally distribute the burnt bond to all protocol users. Alternatively, a more simple approach would be to enable the publisher to extract any excess tokens. This could be done by transferring the tokens from the auction bonder to the publisher upon executing
bondBurn(), enabling them to later withdraw the correct share of the basket.