Kogaroshi
commented
2 years ago Duplicate of https://github.com/code-423n4/2022-03-paladin-findings/issues/8 for the Cooldown tricking issue For the issue about locking other users funds, see answer in: https://github.com/code-423n4/2022-03-paladin-findings/issues/69
0xean
Lines of code
https://github.com/code-423n4/2022-03-paladin/blob/main/contracts/HolyPaladinToken.sol#L1105-L1133
Vulnerability details
Impact
Due to an approach that upon a transfer the weighted average is calculated for the cooldown, it is possible to trick it in a way that ready funds can "thrive" in the allowed window, ready to payout. Anytime it is ending, those funds can be "mixed" with newly locked to refresh the time and let them stay in the window again.
Moreover, this allows applying aninstant withdrawal service, with a pool that thrives near the end of a period. A user can mix their tokens with those and end their cooldown instantly, while pool funds can never expire due to refreshing.
It is believed this is an exploit which breaks core mechanics.
There is also a way to lock user funds. Some user may rely on timely unlocking their funds, while sending locked funds to almost unlocked ones postpone the unlock date, which may break smart contracts/strategies. Sometimes blocking funds may be extremely harmful, despite the user would get much more in the end.
Recommended mitigation steps
Don't allow fund mixing.