Open code423n4 opened 2 years ago
this is correct however we are not as concerned with having more tokens than is needed and future rebalances can correct this issue. i would consider this as a low/medium risk as perhaps a naive publisher could not recognize this and create issues when rebalancing.
I don't think there will be any changes to the basket's ibRatio
when an auction is ongoing. Basket.sol
does not allow for such changes and Basket.handleFees()
is the only function which updates ibRatio
. At best, I think this is a low
severity issue as automatically calculating the correct token amounts prevents bonded users from making mistakes upon calling settleAuction()
.
Handle
0x0x0x
Vulnerability details
If someone calls
settleAuction
and inputs more tokens than the person should, tokens get stuck. To avoid this, it would be better to computeinputTokens/inputWeights
andoutputTokens/outputWeights
automatically, since they can be known beforehand. When a bonder sends asettleAuction
request, any change to conditions might lead them to lose their funds(or revert). Furthermore, this is a serious attack vector and for example web hackers can abuse it, without even communicating with a different contract.Mitigation step
Automate the calculation of
inputTokens/inputWeights
andoutputTokens/outputWeights
or add a mechanism to calculate excess amounts for everything and transfer them back to the sender.