search

code-423n4 / 2022-08-frax-findings

2 stars 1 forks source link

Owner can change timelock at any time #325

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-08-frax/blob/c4189a3a98b38c8c962c5ea72f1a322fbc2ae45f/src/contracts/FraxlendPair.sol#L204-L207 https://github.com/code-423n4/2022-08-frax/blob/c4189a3a98b38c8c962c5ea72f1a322fbc2ae45f/src/contracts/FraxlendPair.sol#L215-L222

Vulnerability details

Contract FraxlendPair implements logic for changing timelock and protocol fee. The functionality of changing fee is reserved to TIME_LOCK_ADDRESS which is expected to be a timelock contract that protects users from accidental changes of fee while using the protocol. The issue is that owner can use setTimeLock at any time and change TIME_LOCK_ADDRESS to EOA address and execute changeFee to increase the value of fee to maximum.

Scenario:

  1. Users interact with protocol while the fee is 5%.
  2. Users trigger some transactions.
  3. Owner changes timelock address to himself and then changes the fee to 50%.
  4. Owner's transaction is being included before users transactions which ends up with users being charged fee of 50%.

Proof of Concept

Tools Used

Manual Review / VSCode

Recommended Mitigation Steps

It is recommended to add timelock to setTimeLock.

0xA5DF commented 2 years ago

Dupe of #249

DrakeEvans commented 2 years ago

duplicate #129