Closed code423n4 closed 2 years ago
sponsor confirmed: i think an upper limit would be worth doing
hmmm, yes, but a malicious owner is a pretty big assumption and that same malicious owner could simply upgrade these contracts to whatever they wanted.
Yeah, when there are upgradeable contracts in the mix lots of these kinds of things become irrelevant.
But this definitely is an issue with the system outside of upgradeability.
Can make it a LOW.
Lines of code
https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L226-L229 https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L406-L450
Vulnerability details
Here's the interesting part in the stake method:
A malicious owner could frontrun a stake transaction with a
setWarmUpPeriod
, permalocking the funds:Mitigation
Consider providing a sensible upper limit to
warmUpPeriod
of, say, a month. This will give raise trust on the fact that a user's funds won't be locked forever