Open code423n4 opened 1 year ago
minhquanym marked the issue as low quality report
Consider QA
minhquanym marked the issue as primary issue
minhquanym marked the issue as remove high or low quality report
0xRektora marked the issue as disagree with severity
Although not applicable in real world, this can be informational
.
0xRektora marked the issue as sponsor confirmed
dmvt changed the severity to QA (Quality Assurance)
dmvt marked the issue as grade-b
dmvt marked the issue as grade-a
Lines of code
https://github.com/Tapioca-DAO/tap-token-audit/blob/main/contracts/options/TapiocaOptionBroker.sol#L296-L307
Vulnerability details
Impact
anyone can exitPosition for others in TapiocaOptionBroker, coupled with overlapping condition in isPositionActive on exerciseOption, leads to potential frontrun of user
First of all, anyone can call exitPosition on any position, given the position expires on the following condition =>
block.timestamp >= lock.lockTime + lock.lockDuration
:However, when we look at
exerciseOption
which relies ontOLP.getLock
to check whether an option is exercisable, it is(lockPosition.lockTime + lockPosition.lockDuration) >= block.timestamp;
.In TapiocaOptionLiquidityProvision.sol :
So now we can see when an option is at
(lockPosition.lockTime + lockPosition.lockDuration) == block.timestamp
; it's both exercisable and exitable, but anyone can exit for the option holder.This is suboptimal since:
it creates conflicting condition where the system is no longer deterministic in its state transition ability at a particular timestamp.
Although rare, a user can be front-runned now to prevent him/her from exercising an option.
Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
Tools Used
Recommended Mitigation Steps
either make
isPositionActive
slightly stricter orexpireOption
slightly looser, so that they dont overlap.isPositionActive
Assessed type
Math