sherlock-admin
commented
6 months ago 1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid
Closed sherlock-admin closed 6 months ago
sherlock-admin
commented
6 months ago 1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid
evmboi32
medium
Users could gain a lot of points by wash trading.
Summary
Users could gain a lot of points by wash trading.
Vulnerability Detail
Every time the
executeDepositfunction is executed user is minted points based on thedepositAmount. Users could do wash trading by depositing and withdrawing multiple times to gain a lot of points. The only fee the user needs to pay is thegasFeefor announcing, thekeeperFeefor execution, and any possible slippage. The same thing can be done while opening or adjusting a new leveraged position.Impact
This makes the concept of points pointless as anyone could get a large number of points with minimal risk and effort.
Code Snippet
https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/StableModule.sol#L83-L84
https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/LeverageModule.sol#L132-L133
https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/LeverageModule.sol#L225-L230
Tool used
Manual Review
Recommendation
If the points should represent something valuable there should be a different way of distributing the points. Maybe based on the duration of the stable collateral deposit. The longer the user has an open position the more points are accrued. This also provides greater value to the protocol as collateral stays in the contract for a longer period of time instead of just a few blocks for wash trading.
Duplicate of #187