search

code-423n4 / 2022-12-prepo-findings

0 stars 1 forks source link

Long and short tokens can continue to be minted even after expiry #300

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/prepo-io/prepo-monorepo/blob/3541bc704ab185a969f300e96e2f744a572a3640/apps/smart-contracts/core/contracts/PrePOMarket.sol#L65-L74

Vulnerability details

Impact

Users can mint after expiry but before the final price has been set

Proof of Concept

function mint(uint256 _amount) external override nonReentrant returns (uint256) {
    require(finalLongPayout > MAX_PAYOUT, "Market ended");
    require(collateral.balanceOf(msg.sender) >= _amount, "Insufficient collateral");
    if (address(_mintHook) != address(0)) _mintHook.hook(msg.sender, _amount, _amount);
    collateral.transferFrom(msg.sender, address(this), _amount);
    longToken.mint(msg.sender, _amount);
    shortToken.mint(msg.sender, _amount);
    emit Mint(msg.sender, _amount);
    return _amount;
}

PrePOMarket#mint continues to work until the owner has set the final long payout. It completely disregards expiryTime. This would allow users to mint between when the long price is set and the IPO/ICO final price.

Tools Used

Manual Review

Recommended Mitigation Steps

Only allow users to mint up to expiryTime

c4-judge commented 1 year ago

Picodes marked the issue as duplicate of #285

c4-judge commented 1 year ago

Picodes marked the issue as unsatisfactory: Invalid