Due to absence of deadline parameter , pending transactions to be maliciously executed at a later point.
Proof of Concept
The liquidate() in Vault.sol is basically a swap between prize tokens and Vault shares. Without the presence of a deadline parameter , a User can unknowingly perform bad swaps.
1) Alice wants to liquidate 100 prize tokens with Vault shares at an exchange rate of 2:1.
2)The transaction is submitted to the mempool, however, Alice chose a transaction fee that is too low for miners to be interested in including her transaction in a block. The transaction stays pending in the mempool for extended periods, which could be hours, days, weeks, or even longer.
3) When the average gas fee dropped far enough for Alice's transaction to become interesting again for miners to include it, her liquidation process will be executed. But by this time the exchange rate changed from 2:1 to 3:1 causing bad swaps.
Tools Used
Manual Review
Recommended Mitigation Steps
Introduce a deadline parameter to the liquidate().
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L550-#L556
Vulnerability details
Impact
Due to absence of deadline parameter , pending transactions to be maliciously executed at a later point.
Proof of Concept
The liquidate() in
Vault.sol
is basically a swap between prize tokens and Vault shares. Without the presence of a deadline parameter , a User can unknowingly perform bad swaps. 1) Alice wants to liquidate 100 prize tokens with Vault shares at an exchange rate of 2:1. 2)The transaction is submitted to the mempool, however, Alice chose a transaction fee that is too low for miners to be interested in including her transaction in a block. The transaction stays pending in the mempool for extended periods, which could be hours, days, weeks, or even longer. 3) When the average gas fee dropped far enough for Alice's transaction to become interesting again for miners to include it, her liquidation process will be executed. But by this time the exchange rate changed from 2:1 to 3:1 causing bad swaps.Tools Used
Manual Review
Recommended Mitigation Steps
Introduce a deadline parameter to the liquidate().
Assessed type
Other