`depositExactly` could be exploited

[c4-submissions]

Lines of code

https://github.com/GoodEntry-io/ge/blob/3b80be0e86e1c01cd85906e9892e06540e12a842/contracts/TokenisableRange.sol#L244-L255

Vulnerability details

depositExactly benefits the user but harms the protocol. If gas goes lower and token price goes higher (gas fee < 1e-8 token value), attacks could be profitable. I suggest we only allow whitlisted address (OPM) to call this function.

Assessed type

Context

[c4-judge]

gzeon-c4 marked the issue as unmitigated

[gzeon-c4]

low risk imo

[c4-judge]

gzeon-c4 marked the issue as satisfactory

[peppelan]

Hi @gzeon-c4 I can't think of any scenario where this issue can award an attacker more than a handful of wei's of liquidity. Since TokenisableRange mints a baseline 1e18 liquidity at initialization, dust liquidity is necessarily meaningless.

IMO it should be treated like a non-amplifiable rounding error, so QA seems more appropriate.

[c4-judge]

gzeon-c4 marked the issue as new finding

[c4-judge]

gzeon-c4 changed the severity to QA (Quality Assurance)

[c4-judge]

gzeon-c4 marked the issue as grade-b