Description:Description\
Both the deposit functions multiTokenDeposit() && multiTokenDepositFor() increase the cooldown period of an address for which deposits are being made.
Since multiTokenDepositFor() allows anyone to deposit tokens on behalf of any address and the withdrawals for an address are not allowed before the its cooldown period has passed,
A malicous attacker can frontrun users withdrawal requests and deposit minimum possible tokens on behalf of him in order to increase his cooldown period, As a result User will be prevented for withdrawing his tokens.
The attacker can automate this attack and re-attack every once in a while after the cooldownperiod is about to finish which will halt user withdrawals for a very long time with lesser attack costs.
user initiates withdrawal request multiTokenWithdrawal()
Attacker frontruns user's withdrawal request
And deposits minimum possible tokens on behalf of him via multiTokenDepositFor()
Now the user's cooldown is increased
And the user's withdraw request is reverted
The Attacker Repeats this attack every once in a while after the cooldown period of target user is about to finish and the users withdrawal requests keep reverting.
Impact\
Sky-rocketing loss of User fund
In a situation, where portfolio is performing bad, imagine a whale investor is attacked, and his withdrawal txns are blocked, his net losses will skyrocket in millions of dollars.
Imagine competitors organizing this attack on large scale and targeting whale wallets of rival portfolios.
Aside from that even if user's withdrawals are delayed for single day, business image of the portfolio will be destroyed and will loose large number of investor.
langnavina97
commented
2 months ago
Github username: @burhankhaja Twitter username: imaybeghost Submission hash (on-chain): 0x8719db4eac90d7b4f6167e5bbe7d56f2f8ade8d544c0f04489a1e3ccb2aeb622 Severity: high
Description: Description\ Both the deposit functions
multiTokenDeposit()&&multiTokenDepositFor()increase the cooldown period of an address for which deposits are being made.Since multiTokenDepositFor() allows anyone to deposit tokens on behalf of any address and the withdrawals for an address are not allowed before the its cooldown period has passed,
A malicous attacker can frontrun users withdrawal requests and deposit minimum possible tokens on behalf of him in order to increase his cooldown period, As a result User will be prevented for withdrawing his tokens.
The attacker can automate this attack and re-attack every once in a while after the cooldownperiod is about to finish which will halt user withdrawals for a very long time with lesser attack costs.
Attack Scenario\ .
multiTokenWithdrawal()multiTokenDepositFor()Impact\ Sky-rocketing loss of User fund
In a situation, where portfolio is performing bad, imagine a whale investor is attacked, and his withdrawal txns are blocked, his net losses will skyrocket in millions of dollars.
Imagine competitors organizing this attack on large scale and targeting whale wallets of rival portfolios.
Aside from that even if user's withdrawals are delayed for single day, business image of the portfolio will be destroyed and will loose large number of investor.
Attachments
Proof of Concept (PoC) File
Revised Code File (Optional)