search

code-423n4 / 2023-04-caviar-findings

9 stars 4 forks source link

The Deposit function is malicious #288

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-04-caviar/blob/main/src/PrivatePool.sol#L484

Vulnerability details

Impact

https://github.com/code-423n4/2023-04-caviar/blob/main/src/PrivatePool.sol#L484-L507 Users can deposit funds (NFTs, baseTokens) into private pools, but there are no other incentives for the funds. On the other hand, owners can withdraw any token from their pool. Thus, users lose their funds forever (by their owners). This will cause distrust in this project and users don't trust the entire logic, not just this feature.

Tools Used

VS Code

Recommended Mitigation Steps

There are two options: Option 1: You can add incentive logic for deposit Ex: Revenue sharing with depositors in private pools, LP staking logic Option 2: You can modify so that only the owner can deposit.

function deposit(uint256[] calldata tokenIds, uint256 baseTokenAmount) public payable onlyOwner {
        // ~~~ ~~~ //
    }
c4-pre-sort commented 1 year ago

0xSorryNotSorry marked the issue as duplicate of #865

c4-judge commented 1 year ago

GalloDaSballo changed the severity to QA (Quality Assurance)

c4-judge commented 1 year ago

GalloDaSballo marked the issue as grade-c