`blockLock` of `RENCRV_SETT` makes transactions likely to fail as only 1 transaction is allowed in 1 block

[code423n4]

Handle

WatchPug

Vulnerability details

https://github.com/Badger-Finance/badger-ibbtc-utility-zaps/blob/a5c71b72222d84b6414ca0339ed1761dc79fe56e/contracts/SettToRenIbbtcZap.sol#L268-L271

require(
    RENCRV_SETT.blockLock(address(IBBTC_MINT_ZAP)) < block.number,
    "blockLocked"
);

Recommendation

Considering that the RENCRV_SETT contract is also controlled by BadgerDAO and it's upgradable.

We suggest upgrading it and whitelisting the zap contracts.

[tabshaikh]

Gonna do that

[GalloDaSballo]

Disagree with the finding, the blocklock is a feature not a bug, if this were to be a repeated issue we would have to change a lot more

[0xleastwood]

agree with sponsor, marking as low risk as it is still a useful to consider implementing such a change.