c4-judge
commented
1 year ago GalloDaSballo marked the issue as duplicate of #377
Closed c4-judge closed 1 year ago
c4-judge
commented
1 year ago GalloDaSballo marked the issue as duplicate of #377
c4-judge
commented
1 year ago GalloDaSballo marked the issue as satisfactory
Judge has assessed an item in Issue #268 as M risk. The relevant finding follows:
[L-02] Front running attacks by the owner Project has one possible attack vectors by the onlyOwner:
dao.Fees , burnsFees , referralFees , botFees variable; It determines the fees rate The default deposit fees equal zero. Can be updated by onlyOwner with function Fees
When a user use feed, expecting to have zero fee , the owner can frontrun the fee function and increase fees to 10000 bps , If the size is big enough, that may be a significant amount of money.
contracts/Trading.sol: 951 / 952: function setFees(bool _open, uint _daoFees, uint _burnFees, uint _referralFees, uint _botFees, uint _percent) external onlyOwner { 953: unchecked { 954: require(_daoFees >= _botFees+_referralFees2); 955: if (_open) { 956: openFees.daoFees = _daoFees; 957: openFees.burnFees = _burnFees; 958: openFees.referralFees = _referralFees; 959: openFees.botFees = _botFees; 960: } else { 961: closeFees.daoFees = _daoFees; 962: closeFees.burnFees = _burnFees; 963: closeFees.referralFees = _referralFees; 964: closeFees.botFees = _botFees;
965: } 966: require(_percent <= DIVISION_CONSTANT); 967: vaultFundingPercent = _percent; 968: } 969: } Recommended Mitigation Steps Use a timelock to avoid instant changes of the parameters.