dmvt
commented
2 years ago It feels like a very long shot that an authorized user would choose to capture 100% in fees for the protocol maliciously. What is gained by doing that? It would go to the treasury, not the attacker. The treasury could simply refund the user. On the other hand, maybe there is a stolen funds scenario and the treasury does want to capture all of the value to distribute it equitably. This seems more viable as a feature than an attack vector. Marking invalid.
Handle
pauliax
Vulnerability details
Impact
The authorized parties can front-run finishRedeemStable and invoke setPerfFeePct, and set a huge fee (for example fee = 100%). Because finishRedeemStable is a second step, it cannot be canceled and can be invoked by anyone, the users will not have any choices to avoid this new high fee.
A similar issue was submitted in a previous contest, you can find more details here: https://github.com/code-423n4/2021-05-nftx-findings/issues/51
Recommended Mitigation Steps
I am not sure what solution is the best in your case, but you can consider introducing an upper limit (e.g. 20%) for the perfFeePct or adding delays when new settings take the effect.