Changing the entry and exit fee on the basket doesn't require a timelock. Users could be frontrunned with a higher fee before entering a basket. The issue is a low risk since there is a max cap on 10% fee so it can't be set to 100%.
Even if this attack could only be made by privileged roles adding a timelock would make the protocol more trustless.
Proof of Concept
When a user enters a basket with 0 or low fees his transaction can be frontrunned. Entry and exit fees could be changed to max which is a value the user didn't necessarily agree to.
Handle
pedroais
Vulnerability details
Impact
Changing the entry and exit fee on the basket doesn't require a timelock. Users could be frontrunned with a higher fee before entering a basket. The issue is a low risk since there is a max cap on 10% fee so it can't be set to 100%.
Even if this attack could only be made by privileged roles adding a timelock would make the protocol more trustless.
Proof of Concept
When a user enters a basket with 0 or low fees his transaction can be frontrunned. Entry and exit fees could be changed to max which is a value the user didn't necessarily agree to.
Recommended Mitigation Steps
Add a timelock to change entry and exit fees.