bghughes
commented
2 years ago Duplicate of #125 #411
Closed code423n4 closed 2 years ago
bghughes
commented
2 years ago Duplicate of #125 #411
HickupHH3
commented
2 years ago Duplicate of #21
Lines of code
https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/rubiconPools/BathToken.sol#L260-L262
Vulnerability details
Impact
Bath house admin can set arbitrarily high fees
Proof of Concept
Bath house admin can front-run users by setting feeBPS at 10000 and at the moment of withdraw the fee will be 100%.
Similar issues
https://github.com/code-423n4/2021-05-nftx-findings/issues/51
Recommended Mitigation Steps
A max fee variable should be used in order to limit the maximum possible fee.