Contract creator could steal all rewards using frontrunning
Proof of Concept
When a yield pool is created pool tax is set equal to global tax and funds are sent into the contract to pay for rewards. The contract creator could set tax to 100% in a transaction frontrunning a pool creation. He will then get all rewards distributed by that pool.
Tools Used
Recommended Mitigation Steps
Add a maximum global tax so it can't reach 100%. Also, frontrunning protection can be added. When a pool is created the creator could input the accepted tax as calldata. If the accepted tax isn't equal to the actual tax (for example because of frontrunning) pool creation should revert.
Lines of code
https://github.com/code-423n4/2022-05-factorydao/blob/db415804c06143d8af6880bc4cda7222e5463c0e/contracts/PermissionlessBasicPoolFactory.sol#L316
Vulnerability details
Impact
Contract creator could steal all rewards using frontrunning
Proof of Concept
When a yield pool is created pool tax is set equal to global tax and funds are sent into the contract to pay for rewards. The contract creator could set tax to 100% in a transaction frontrunning a pool creation. He will then get all rewards distributed by that pool.
Tools Used
Recommended Mitigation Steps
Add a maximum global tax so it can't reach 100%. Also, frontrunning protection can be added. When a pool is created the creator could input the accepted tax as calldata. If the accepted tax isn't equal to the actual tax (for example because of frontrunning) pool creation should revert.