search

code-423n4 / 2023-05-juicebox-findings

1 stars 1 forks source link

mintedAmount/reservedRate mutex is not protected #153

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-05-juicebox/blob/main/juice-buyback/contracts/JBXBuybackDelegate.sol#L158

Vulnerability details

Impact

didPay and the swap/mint there will be called with incorrect values. Possibly losing user funds for bad trades.

Proof of Concept

mintedAmount and reservedRate are not protected from overwrite before didPay

// Pass the quote and reserve rate via a mutex
mintedAmount = _tokenCount;
reservedRate = _data.reservedRate;

Anyone can call payParams with correct params, and set new mintedAmount and reservedRate.

Then, when controller calls didPay, these incorrect values would be used for swap and mint

Tools Used

vscode

Recommended Mitigation Steps

Add a mutex lock. eg, if mintedAmount and reservedRate are not 1, don’t allow the payParams to be called.

Assessed type

Access Control

c4-pre-sort commented 1 year ago

dmvt marked the issue as duplicate of #60

c4-judge commented 1 year ago

dmvt marked the issue as unsatisfactory: Invalid