Closed code423n4 closed 1 year ago
mattt21 marked the issue as sponsor confirmed
Picodes marked the issue as duplicate of #24
To me, this is another instance of #24. Delaying the update until the next epoch won't really solve the issue: we could always imagine deposit
transactions being pending in the mempool during a whole epoch. The root cause is again that depositors cannot protect themselves against unfavorable price changes.
Picodes marked the issue as satisfactory
Picodes changed the severity to 3 (High Risk)
I agree with your decision.
Lines of code
https://github.com/code-423n4/2023-03-mute/blob/4d8b13add2907b17ac14627cfa04e0c3cc9a2bed/contracts/bonds/MuteBond.sol#L153-L200 https://github.com/code-423n4/2023-03-mute/blob/4d8b13add2907b17ac14627cfa04e0c3cc9a2bed/contracts/bonds/MuteBond.sol#L129-L133
Vulnerability details
Impact
Detailed description of the impact of this finding. There is a race condition between
MuteBond#setEpochDuration()
andMuteBond#deposit()
. The issue is that when a newEpochDuration
is set, it will take effect immediately, which will affect the bond price. As a result, depending on the order of these two functions, users who deposit before or afterMuteBond#setEpochDuration()
will have two totally different bond prices - a race condition.Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
Let's analyze a race condition between
MuteBond#setEpochDuration()
andMuteBond#deposit()
:Tools Used
VSCode
Recommended Mitigation Steps
The new set
epochDuration
should only take effect in the next epoch.