code423n4 commented 2 years ago

Handle

GeekyLumberjack

Vulnerability details

Impact

This assumes that users will be able to obtain basket tokens. Based off the docs, this seems to be the case.

bondForRebalance() has no access controls, allowing for an attacker to make themselves the auctionBonder. The attacker becoming the auctionBonder keeps the auction from being able to be settled. The only way to reset would be to call bondBurn()

Proof of Concept

Here is a link to my contracts and test case. You should be able to drop them directly into your repo (in the correct folders) and run the test to see that the attacker successfully sets auctionBonder to their own address.

https://github.com/GeekyLumberjack/ProofOfConcept-defiProtocol.git

Tools Used

Hardhat / manual analysis

Recommended Mitigation Steps

Add access controls to bondForRebalance()

frank-beard commented 2 years ago

this is how the protocol is intended to work, if someone bonds and does not rebalance, they lose their bond.

0xleastwood commented 2 years ago

So I think the intended functionality of this mechanism is as follows:

An auction has started but no bond has been sent to the contract.
A user bonds an amount of basket tokens and has one day to settle the auction.
If the user does not settle the auction, anyone can call bondBurn() which burns the user's basket tokens.

Effectively, the burnt tokens will distribute the user's share of the assets to all basket token holders. Because this is intended, I'm marking this issue as invalid.

code-423n4 / 2021-12-defiprotocol-findings