Users who request mint during the period when the admin is actively adjusting MintFees cannot clearly limit the maximum range of MintFees, resulting in completing the transaction with unexpected trading conditions.
Proof of Concept
Given:
mintFee = 0
Alice call requestMint() with collateralAmountIn = 10,000 try deposit 10,000 collateral
Admin call setMintFee() change mintFee to 1,000 bps, or 10%, with higher gas price than Alice
mintFee change transaction was executed faster than Alice's tx because it was given a higher gas price.
When Alice's requestMint() is executed, a 10% mint fee will be charged which is not what Alice expected when she submitted the transaction. If the fee is higher than 1%, Alice will not submit the transaction.
Recommended Mitigation Steps
requestMint() should privede a minDepositValueAfterFees as slippage control
Lines of code
https://github.com/code-423n4/2023-01-ondo/blob/f3426e5b6b4561e09460b2e6471eb694efdd6c70/contracts/cash/CashManager.sol#L195-L231
Vulnerability details
Impact
Users who request mint during the period when the admin is actively adjusting MintFees cannot clearly limit the maximum range of MintFees, resulting in completing the transaction with unexpected trading conditions.
Proof of Concept
Given:
Alice call
requestMint()
withcollateralAmountIn = 10,000
try deposit 10,000 collateralAdmin call
setMintFee()
changemintFee
to 1,000 bps, or 10%, with higher gas price than AlicemintFee
change transaction was executed faster than Alice's tx because it was given a higher gas price.When Alice's requestMint() is executed, a 10% mint fee will be charged which is not what Alice expected when she submitted the transaction. If the fee is higher than 1%, Alice will not submit the transaction.
Recommended Mitigation Steps
requestMint()
should privede aminDepositValueAfterFees
as slippage control