Open code423n4 opened 3 years ago
Duplicate of #2
Agree with finding, this vault accounting can be used for arbitrage opportunities as tokens are treated at exact value while they may have imbalances in price
This is not a duplicate as it's explaining a specific attack vector
Also raising risk valuation as this WILL be used to extract value from the system
Handle
hickuphh3
Vulnerability details
Impact
The vault treats all assets to be of the same price. Given that one can also deposit and withdraw in the same transaction, this offers users the ability to swap available funds held in the vault at parity, with the withdrawal protection fee (0.1%) effectively being the swap fee.
Due care and consideration should therefore be placed if new stablecoins are to be added to the vault (eg. algorithmic ones that tend to occasionally be off-peg), or when lowering the withdrawal protection fee.
Recommended Mitigation Steps
setWithdrawalProtectionFee()
could have a requirement for the value to be non-zero. Zero withdrawal fee could be set insetHalted()
whereby only withdrawals will be allowed.