The government can change curve settings before the deposits are processed, and these settings might no longer satisfy users.
Vulnerability Detail
An admin can change curve settings in between deposits. Users who broadcasted txs but were mined after the change might not be satisfied with these new parameters anymore. The curve affects the multiplier, and if it is reduced, the users may not want to lock their tokens for long durations. Users should be able to react and adjust to the changing conditions.
Impact
If settings are changed and there are pending deposits in the mempool, these users will be forced to accept new settings even if they thought they were signing different conditions.
Code Snippet
function setCurve(uint256[] calldata _curve) external onlyGov
function setCurvePoint(uint256 _newPoint, uint256 _position) external onlyGov
Tool used
Manual Review
Recommendation
Consider introducing a parameter similar to slippage, e.g. minMintAmount, so that users can ensure they will get appropriate results when depositing.
HonorLt
medium
Curve change frontrunning
Summary
The government can change curve settings before the deposits are processed, and these settings might no longer satisfy users.
Vulnerability Detail
An admin can change curve settings in between deposits. Users who broadcasted txs but were mined after the change might not be satisfied with these new parameters anymore. The curve affects the multiplier, and if it is reduced, the users may not want to lock their tokens for long durations. Users should be able to react and adjust to the changing conditions.
Impact
If settings are changed and there are pending deposits in the mempool, these users will be forced to accept new settings even if they thought they were signing different conditions.
Code Snippet
Tool used
Manual Review
Recommendation
Consider introducing a parameter similar to slippage, e.g.
minMintAmount, so that users can ensure they will get appropriate results when depositing.Duplicate of #113