Closed sherlock-admin2 closed 8 months ago
2 comment(s) were left on this issue during the judging contest.
ubl4nk commented:
invalid -> if the points should be burnt, so what is the usage of points ?! nothing, also the traders are at risk of losing fund due to the volatile price and also their are paying keeper and trade fees by doing opening and closing the positions in addition of gas-fees.
takarez commented:
invalid: the sponsor confirm that the points is a thing of no value and that they are ok with issue related to it.
joicygiore
medium
Infinite Minting
PointsModule::FMP
Summary
Infinite Minting
PointsModule::FMP
Vulnerability Detail
When
DelayedOrder::_executeStableDeposit()
is called,StableModule::executeDeposit()
->PointsModule::mintDeposit()
will be executed to mint the corresponding amount ofPointsModule::FMP
.But
StableModule::executeWithdraw()
is missing burnThe attacker can invoke
DelayedOrder::announceStableDeposit()
andDelayedOrder::announceStableWithdraw()
infinitely mintPointsModule::FMP
, and ideally complete the work related to Keeper to achieve a non-consuming MinterPointsModule::FMP
POC
Please add the test file to
test/unit/Delayed-Order/
and execute itImpact
Infinite Minting
PointsModule::FMP
Code Snippet
https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/DelayedOrder.sol#L496-L519 https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/StableModule.sol#L82-L86
Tool used
Manual Review
Recommendation
Consider verifying the maximum peak of tokens deposited by the user, and if the maximum peak part has already obtained the corresponding incentive token, do not call
PointsModule::mintDeposit()
.However, this does not prevent users from receiving multiple addresses repeatedly. It is recommended to consider the use of the token comprehensively,Increase the lock-up time, and burn the corresponding token for withdrawal.Duplicate of #187