search

code-423n4 / 2023-05-asymmetry-mitigation-findings

2 stars 2 forks source link

Mitigation Confirmed for M-04 #16

Open code423n4 opened 1 year ago

code423n4 commented 1 year ago

Note: Issue has not actually been resolved but for some reason I can't get my issues to submit without "Mitigation confirmed (no new vulnerabilities detected)" checked so I am doing this as a work around

Severity

Medium

Lines of code

https://github.com/asymmetryfinance/smart-contracts/pull/228/files#diff-6abc8f2e4ad1647a12784e9fbf18e9c5f86c05668e3e89e2a51ab569992b214fR111-R116

Impact

Proof of Concept

The root cause of M-04 has still not been addressed since the contract still doesn't allow the user to specify a deadline. This makes the vulnerability presented in the original submission to still be valid.

Tools Used

Manual Review

Recommended Mitigation Steps

Implement a deadline check on both withdrawals and deposits in the safETH.sol contract:

-   function stake() external payable returns (uint256 mintedAmount) {
+   function stake(uint256 deadline) external payable returns (uint256 mintedAmount) {
+       require(block.timestamp <= deadline);
        require(pauseStaking == false, "staking is paused");
        require(msg.value >= minAmount, "amount too low");
d3e4 commented 1 year ago

RocketSwapRouter sets the deadline to block.timestamp itself. See #36.

c4-judge commented 1 year ago

Picodes marked the issue as satisfactory