Open code423n4 opened 1 year ago
tbrent marked the issue as sponsor confirmed
0xean marked the issue as satisfactory
Per discussion with the judge @0xean, this is a new/unique finding. Adding the selected for report
label for awarding and reporting purposes.
fixed: only rebalancing trades can disable dutch trades in this manner https://github.com/reserve-protocol/protocol/blob/master/contracts/p1/Broker.sol#L142
Lines of code
https://github.com/reserve-protocol/protocol/blob/99d9db72e04db29f8e80e50a78b16a0b475d79f3/contracts/plugins/trading/DutchTrade.sol#L212-L214
Vulnerability details
Dutch trade now creates a report violation whenever the price is x1.5 then the best price. The issue is that the attacker can fake a report violation by buying with the higher price. Since revenue traders don't have a minimum trade amount that can cost the attacker near zero funds.
Mitigation might be to create violation report only if the price is high and the total value of the sell is above some threshold.
Assessed type
Other