search

code-423n4 / 2023-09-goodentry-mitigation-findings

0 stars 0 forks source link

M-06 MitigationConfirmed #39

Open c4-submissions opened 1 year ago

c4-submissions commented 1 year ago

Lines of code

Vulnerability details

Comments

RangeManager.initRange, the owner mints tokens upon initialization to avoid the first deposit attack. The input token ratio may not be perfect or a malicious attacker can manipulate the pool tokens ratio in advance, resulting in a certain amount of unused tokens. These tokens will not be refunded but remain within the contract and may be extracted by attackers through cleanup function.

Mitigation

    uint256 asset0_amt = ASSET_0.balanceOf(address(this));
    uint256 asset1_amt = ASSET_1.balanceOf(address(this));
    if (asset0_amt > 0) ASSET_0.safeTransfer(msg.sender, asset0_amt);
    if (asset1_amt > 0) ASSET_1.safeTransfer(msg.sender, asset1_amt);

Add corresponding logic to return excess tokens

Conclusion

LGTM

c4-judge commented 12 months ago

gzeon-c4 marked the issue as satisfactory

c4-judge commented 12 months ago

gzeon-c4 marked the issue as confirmed for report