Closed c4-bot-7 closed 5 months ago
cryptotechmaker marked the issue as disagree with severity
Low
dmvt marked the issue as primary issue
dmvt marked the issue as duplicate of #127
dmvt marked the issue as selected for report
dmvt marked the issue as partial-75
dmvt marked issue #127 as primary and marked this issue as a duplicate of 127
Lines of code
https://github.com/Tapioca-DAO/tap-token/blob/20a83b1d2d5577653610a6c3879dff9df4968345/contracts/options/TapiocaOptionLiquidityProvision.sol#L275-L277
Vulnerability details
Description
In
TapiocaOptionLiquidityProvision
(tOLP
) the owner can chose to set an asset in cooldown. This essentially closes down the asset and what has been locked against it, allowing users to withdraw ahead of their lock expiry.This works under a cooldown where the owner must first call
TapiocaOptionLiquidityProvision::requestSglPoolRescue
:This starts a timelock timer until
activateSGLPoolRescue
can be called which triggers the actual rescue mode:rescueCooldown
is by default2 days
, but can be changed by the owner insetRescueCooldown
:The issue is that there is no cooldown on changing
rescueCooldown
. Hence the owner can callrequestSglPoolRescue
then setsetRescueCooldown
to0
and lastly callactivateSGLPoolRescue
to instantly set thesglAsset
in rescue mode.Impact
The owner can bypass the rescue timelock by changing the cooldown, effectively triggering rescue in the same tx as requesting it. This breaks the invariant that an asset must wait a cooldown period before going into rescue mode. Thus removing the possibility for users to act on the changes.
Proof of Concept
Test in
tap-token/test/tOLP.t.sol
:Tools Used
Manual audit
Recommended Mitigation Steps
Consider implementing the same timelock for changing the rescue cooldown as for activating pool rescue.
Assessed type
Timing