You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[M-1] Fuji’s vault would remain vulnerable to an inflation attack despite the explicit measures taken
Description
There is one widely known issue regarding the front-running of the first deposit.
Fuji team is already aware of this and mentions the same on L85 of the base vault, and has added a minAmount protection against it.
However, it's not enough since one can deposit minAmount, withdraw it such that only 1 wei of assets remain in the contract, and then sandwich the first deposit.
Remediation to consider
Contract Changes:
Consider defining state variables to track balances instead of .balanceOf
Or
Consider depositing some amount into the vaults on your own when they are deployed and leave it there.
This will ensure that the total supply of shares will always remain at a certain level.
Other solutions, like minting dead shares to zero address, are suboptimal, as explained in this MixBytes Blog Post.
The text was updated successfully, but these errors were encountered:
[M-1] Fuji’s vault would remain vulnerable to an inflation attack despite the explicit measures taken
Description
There is one widely known issue regarding the front-running of the first deposit.
Fuji team is already aware of this and mentions the same on L85 of the base vault, and has added a minAmount protection against it.
However, it's not enough since one can deposit minAmount, withdraw it such that only 1 wei of assets remain in the contract, and then sandwich the first deposit.
Remediation to consider
Contract Changes:
.balanceOf
Or
Consider depositing some amount into the vaults on your own when they are deployed and leave it there.
This will ensure that the total supply of shares will always remain at a certain level.
Other solutions, like minting dead shares to zero address, are suboptimal, as explained in this MixBytes Blog Post.
The text was updated successfully, but these errors were encountered: