Timelock functionality for xToken is applied on all existing balance
#80
Labels
1 (Low Risk)
Assets are not at risk. State handling, function incorrect as to spec, issues with comments
bug
Something isn't working
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Comments
code423n4
added
1 (Low Risk)
0xKiwi
added
the
sponsor acknowledged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Handle
0x0x0x
Vulnerability details
Proof of Concept
When new tokens are minted for an address, also the existing balance of that given address is timelocked.
For example, if another protocol would want to use
NFTXInventoryStakingand make deposits possible through their protocol, then any deposit will update timelock duration for others and would make it possible to frontrun withdraws by using deposit.Recommended Mitigation Steps
This can be avoided by tracking timelock period for each mint, but it will cost more gas and make the code base more complicated.
Alternatively, add warnings for other protocols about this behaviour
The text was updated successfully, but these errors were encountered: