search

code-423n4 / 2023-10-asymmetry-mitigation-findings

0 stars 0 forks source link

M-05 Unmitigated #38

Open c4-submissions opened 1 year ago

c4-submissions commented 1 year ago

Lines of code

Vulnerability details

Mitigation of M-05: Mitigation Error, see comments

Link to Issue: https://github.com/code-423n4/2023-09-asymmetry-findings/issues/45

Comments

To mitigate M-05, the sponsor has added a delay of one epoch when the available CVX balance is enough to cover the withdrawal:

81:         uint256 totalLockedBalancePlusUnlockable = unlockable +
82:             trackedCvxBalance;
83: 
84:         if (totalLockedBalancePlusUnlockable >= cvxUnlockObligations) {
85:             withdrawIdToWithdrawRequestInfo[
86:                 latestWithdrawId
87:             ] = WithdrawRequestInfo({
88:                 cvxOwed: cvxAmount,
89:                 withdrawn: false,
90:                 epoch: currentEpoch + 1,
91:                 owner: msg.sender
92:             });
93:             emit WithdrawRequest(msg.sender, cvxAmount, latestWithdrawId);
94: 
95:             return latestWithdrawId;
96:         }

While the intention seems correct, the mitigation contains an edge case at the end of the current epoch. Since the current timestamp may be near the end of the epoch, any difference of at least one second will only delay the process for that minimal amount.

Note, additionally, that this can also happen even if the available CVX amount is not enough to cover the withdrawal amount: it might be the case that the next epoch provides the needed amount. If this is the case, the withdrawal epoch will be set for the next soon to happen epoch. In summary, any present or unlockable amount in the next epoch can be used to trigger the attack when the current timestamp is near the end of the current epoch.

This means the described issue in M-05 can still be exploited at the end of each epoch, since the attacker can still execute the process with minimal exposure to CVX. This error is expanded in issue [ADRIRO-NEW-H-01] (VotiumStrategy withdrawal can still be executed with minimal delay).

Assessed type

Other

toshiSat commented 1 year ago

dupe #9

c4-judge commented 1 year ago

0xleastwood marked the issue as satisfactory