Closed code423n4 closed 2 years ago
I think the basket owner is intended to be a trusted account that won't act maliciously and is part of Amun's threat model. Unless @loki-sama can comment otherwise, I'll mark this as invalid
.
The basket owner could also remove all tokens from the basket, preventing any withdraws.
Handle
Czar102
Vulnerability details
Impact
Provided an owner can add any tokens to the basket, it may add a token, for which the owner can burn tokens from any account. Then, after adding the token to the basket, the owner may burn tokens so that
token.balanceof(BasketFacet)
will be belowMIN_AMOUNT
. Then, every call toBasketFacet::exitPool(...)
will fail because of this check, effectively locking all tokens in the basket.Tools Used
Manual Analysis
Recommended Mitigation Steps
Consider resigning from the
MIN_AMOUNT
basket token balance check in theexitPool(...)
function or alternatively create a confirmation period for token users to be able to quit the basket before locking their funds. The second solution is worse, because it demands constant supervision from investors.