Owner of the BasketFacet can cause DoS for `exitPool(...)` function

[code423n4]

Handle

Czar102

Vulnerability details

Impact

Provided an owner can add any tokens to the basket, it may add a token, for which the owner can burn tokens from any account. Then, after adding the token to the basket, the owner may burn tokens so that token.balanceof(BasketFacet) will be below MIN_AMOUNT. Then, every call to BasketFacet::exitPool(...) will fail because of this check, effectively locking all tokens in the basket.

Tools Used

Manual Analysis

Recommended Mitigation Steps

Consider resigning from the MIN_AMOUNT basket token balance check in the exitPool(...) function or alternatively create a confirmation period for token users to be able to quit the basket before locking their funds. The second solution is worse, because it demands constant supervision from investors.

[0xleastwood]

I think the basket owner is intended to be a trusted account that won't act maliciously and is part of Amun's threat model. Unless @loki-sama can comment otherwise, I'll mark this as invalid.

[0xleastwood]

The basket owner could also remove all tokens from the basket, preventing any withdraws.