Closed code423n4 closed 2 years ago
Again, this is part of their threat model. The contract owner is not expected to be malicious. Ideally, this should be documented better. But its entirely possible that the contract owner is a governance framework.
Handle
0x0x0x
Vulnerability details
When the diamond has BasketFacet, then following attack is possible:
1- Create a new ERC20 token A with a lot of quantity
2- Lock the basket
3- Send
MIN_AMOUNT
many token A to the basket4- Remove all tokens except token A
5- Unlock the basket
6- Call
joinPool
and with token A’s receive shares from the basket7- Add all tokens back
8- Exit and profit
As a consequence user funds are lost.