search

code-423n4 / 2024-01-curves-findings

1 stars 0 forks source link

deposit in Curves.sol could be front-run leading to DOS #1497

Closed c4-bot-2 closed 10 months ago

c4-bot-2 commented 10 months ago

Lines of code

https://github.com/code-423n4/2024-01-curves/blob/main/contracts/Curves.sol#L498

Vulnerability details

Impact

The user being front-run can't deposit their curvesTokenSubject into Curves again as the balance of Curves is not enough

Proof of Concept

  1. Alice has 100 curvesTokenSubject and want to deposit to Curves
  2. curvesTokenSubject balance of Curves now is 200
  3. Bob front-runs Alice and deposit with 101 curvesTokenSubject
  4. As the balance is now only 99, Curves rejects the deposit tx of Alice

Tools Used

Manual Review

Recommended Mitigation Steps

Use a private pool for deposit transactions and implement a queue for deposit.

Assessed type

DoS

c4-pre-sort commented 10 months ago

raymondfam marked the issue as insufficient quality report

c4-pre-sort commented 10 months ago

raymondfam marked the issue as duplicate of #872

raymondfam commented 10 months ago

Insensible scenario. Check readme: For any token associated with Curves, it's imperative that the total ERC20 supply remains exactly equivalent to the value locked within the Curves protocol. This one-to-one correspondence ensures consistency and integrity between the ERC20 tokens in circulation and the underlying assets within the Curves ecosystem.

c4-judge commented 9 months ago

alcueca marked the issue as unsatisfactory: Invalid