Open code423n4 opened 2 years ago
The concern is valid but I do not think that there is any profit for the attacker, and the impact for the regular users is minimal because this value can be updated anytime again by the owner, so I am hesitating if this should be of medium severity or lower, but because the warden provided a nice and comprehensive description, I will leave this in favor of warden.
Lines of code
https://github.com/code-423n4/2022-03-biconomy/blob/04751283f85c9fc94fb644ff2b489ec339cd9ffc/contracts/hyphen/WhitelistPeriodManager.sol#L202-L208
Vulnerability details
Impact
The
setPerTokenWalletCap()
function in WhitelistPeriodManager.sol contains a comment stating:Even if the manual step of calling the
getMaxCommunityLpPositon()
function is properly performed, it is possible for a user to add liquidity to increase themaxLp
value in between when thegetMaxCommunityLpPositon()
function is called and when thesetPerTokenWalletCap()
function is called. Because this process is manual, this doesn't need to be bot frontrunning in the same block as when thesetPerTokenWalletCap()
function is called, but can be cause by poor timing of an innocent unknowing user adding liquidity to the protocol. If this condition occurs, the liquidity provider will have provided more liquidity than the perTokenWalletCap limit, breaking the assumptions for this variable and leading to some denial of service conditions.This edge situation can impact the
setTotalCap()
function and the "perTokenTotalCap[_token]" state variable as well, but the "perTokenWalletCap[_token]" value would have to be reduced before the "perTokenTotalCap[_token]" value is reduced. The impact tosetTotalCap()
follows the same execution path but adds the additional step of calling thesetTotalCap()
function at the end of the process.Proof of Concept
getMaxCommunityLpPositon(_token)
function to identify maxLp value to confirm new perTokenWalletCap value is below maxLp valuesetPerTokenWalletCap()
function to reduce "perTokenWalletCap[_token]" valueThis edge situation can impact the
setTotalCap()
function and the "perTokenTotalCap[_token]" state variable as well, but the "perTokenWalletCap[_token]" value would have to be reduced before the "perTokenTotalCap[_token]" value is reduced. The impact tosetTotalCap()
follows the same execution path but adds the additional step of calling thesetTotalCap()
function at the end of the process.Tools Used
Manual analysis
Recommended Mitigation Steps
A programmatic solution is the only way to avoid these edge case scenarios, though it will increase gas consumption. To convert the manual calling of
getMaxCommunityLpPositon(_token)
to a programmatic solution, add the following require statement next to the existing require statement of thesetPerTokenWalletCap()
function:require(_perTokenWalletCap <= getMaxCommunityLpPositon(_token), "ERR_PWC_GT_MCLP");