The function `redo` can be used to steal all funds in `vat`.

Summary

The lack of permission check for the redo function in LockstakeClipper.sol will result in the function redo being called arbitrarily, thereby stealing incentive funds.

Root Cause

https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/lockstake/src/LockstakeClipper.sol#L275-L313 Lack of permission check for the redo function.

Internal pre-conditions

The auth user sets the chip or tip to larger than 0
The auth user first calls the function kick to start the auction.
Attackers calls the function redo repeatedly to steal the incentive funds.

External pre-conditions

No response

Attack Path

Attackers calls the function redo repeatedly to steal the incentive funds.

Impact

All the funds in vat will be stolen by attackers.

PoC

No response

Mitigation

Add the auth check for the function redo.

sherlock-audit / 2024-06-makerdao-endgame-judging

zraxx - The function `redo` can be used to steal all funds in `vat`. #29

The function `redo` can be used to steal all funds in `vat`.

Summary

Root Cause

Internal pre-conditions

External pre-conditions

Attack Path

Impact

PoC

Mitigation

sherlock-audit / 2024-06-makerdao-endgame-judging

zraxx - The function `redo` can be used to steal all funds in `vat`. #29

The function redo can be used to steal all funds in vat.

Summary

Root Cause

Internal pre-conditions

External pre-conditions

Attack Path

Impact

PoC

Mitigation

The function `redo` can be used to steal all funds in `vat`.