zobront
commented
2 years ago You can only call triggerEndEpoch() after the epoch, while triggerDepeg() can be called during the epoch.
Closed code423n4 closed 2 years ago
zobront
commented
2 years ago You can only call triggerEndEpoch() after the epoch, while triggerDepeg() can be called during the epoch.
MiguelBits
commented
2 years ago Working as intended
Lines of code
https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L198 https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L148
Vulnerability details
Impact
There are two functions to end an epoch:
triggerDepeg()andtriggerEndEpoch(). For each epoch, only one of them can be called.triggerDepeg()can only be called if the underlying asset depegged. Under normal circumstances, you can only calltriggerEndEpoch(). But, if the asset did depeg,triggerEndEpoch()is still callable.Thus, it's possible to set up a bot that will frontrun any other tx to call
triggerEndEpoch()instead oftriggerDepeg(). This will mean a loss of funds for the users who deposited into the insurance vault.Proof of Concept
triggerDepeg()can only be called if theisDisastermodifier passes: https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L148triggerEndEpoch()can always be called: https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L198If one has been called, the
idFinalTVLwill not be0and thus, the following check will fail: https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L215For each epoch, you can call either function only once.
Tools Used
none
Recommended Mitigation Steps
Instead of having two separate functions use a single function that checks for the depeg condition and acts accordingly.