Open hats-bug-reporter[bot] opened 3 months ago
Hi @deadrosesxyz Can you please add more info around it and would be nice if you can include the PoC on it also ?
Even if the asset manager rebalances the tokens, the share of each user will still be represented by the portfolio token. The asset manager cannot arbitrarily mint additional tokens, and any changes to the token list will reflect proportionally in the portfolio tokens held by users. The system ensures that users' shares remain intact regardless of the asset manager's actions.
@deadrosesxyz
Github username: @@deadrosesxyz Twitter username: @deadrosesxyz Submission hash (on-chain): 0xa7a00207ca7c495f1a82b4e795912fcf5fbd1ed238a393a837707fdb19f3b348 Severity: high
Description: Description\ Portfolio manager can steal all funds at any time by removing all tokens
Attack Scenario\ At any time, portfolio manager can call
updateTokenList
to change the used tokens list. The problem is that this allows him to remove active tokens, forcing any user within the protocol to suffer a loss.Attachments
Proof of Concept (PoC) File
Revised Code File (Optional)