Timelock functionality for xToken
is applied on all existing balance
#80
Labels
1 (Low Risk)
Assets are not at risk. State handling, function incorrect as to spec, issues with comments
bug
Something isn't working
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Handle
0x0x0x
Vulnerability details
Proof of Concept
When new tokens are minted for an address, also the existing balance of that given address is timelocked.
For example, if another protocol would want to use
NFTXInventoryStaking
and make deposits possible through their protocol, then any deposit will update timelock duration for others and would make it possible to frontrun withdraws by using deposit.Recommended Mitigation Steps
This can be avoided by tracking timelock period for each mint, but it will cost more gas and make the code base more complicated.
Alternatively, add warnings for other protocols about this behaviour
The text was updated successfully, but these errors were encountered: