code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-09-frax/blob/main/src/frxETHMinter.sol#L87

Vulnerability details

Impact

No way to convert theETH rewards to frxETH on Multisig Treasury Contract so the rewards will be locking their

Proof of Concept

-In case submitPaused == true. no rewards will be converted to frxETH. and the users will not be able to get their yield intel submitPaused == false

Recommended Mitigation Steps

Creat a new _submit() for Multisig Treasury Contract with no check for submitPaused state

FortisFortuna commented 2 years ago

We are well aware of the permission structure. The owner will most likely be a large multisig. We mentioned the Frax Multisig in the scope too. If moving funds, it is assumed someone in the multisig would catch an invalid or malicious address.

joestakey commented 2 years ago

Duplicate of #246

0xean commented 2 years ago

I don't believe this issue is a dupe of #246 - to me it sounds like the warden believes that no rewards are accrued when submissions are disabled. I think the misunderstanding is where rewards accrue

Exchange rate increases as the frax msig mints new frxETH corresponding to the staking yield and drops it into the vault (sfrxETH contract).

code-423n4 / 2022-09-frax-findings

`Multisig Treasury Contract` could lock the rewards #269

Lines of code

Vulnerability details

Impact

Proof of Concept

Recommended Mitigation Steps