code-423n4 / 2021-11-badgerzaps-findings

0 stars 0 forks source link

`blockLock` of `RENCRV_SETT` makes transactions likely to fail as only 1 transaction is allowed in 1 block #52

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Handle

WatchPug

Vulnerability details

https://github.com/Badger-Finance/badger-ibbtc-utility-zaps/blob/a5c71b72222d84b6414ca0339ed1761dc79fe56e/contracts/SettToRenIbbtcZap.sol#L268-L271

require(
    RENCRV_SETT.blockLock(address(IBBTC_MINT_ZAP)) < block.number,
    "blockLocked"
);

Recommendation

Considering that the RENCRV_SETT contract is also controlled by BadgerDAO and it's upgradable.

We suggest upgrading it and whitelisting the zap contracts.

tabshaikh commented 2 years ago

Gonna do that

GalloDaSballo commented 2 years ago

Disagree with the finding, the blocklock is a feature not a bug, if this were to be a repeated issue we would have to change a lot more

0xleastwood commented 2 years ago

agree with sponsor, marking as low risk as it is still a useful to consider implementing such a change.