Owner can frontrun exercise to increase fees #323

HardlyDifficult · 2022-05-30T18:48:22Z

From horsefacts in #294

Owner can frontrun exercise to increase fees
A malicious owner account can observe and frontrun calls to exercise and extract 100% of the strike price as a protocol fee.

Scenario:

A malicious owner observes a call to exercise in the mempool.
The owner frontruns exercise and calls setFee to set feeRate to 100%
The full strike price is paid as a protocol fee, and 0 ETH are credited to the vault beneficiary.
Recommendation: Ensure the contract owner is a timelock proxy with a waiting period for parameter changes. Emit an event on changes to feeRate (See N-01 below).

HardlyDifficult · 2022-05-30T18:48:31Z

Dupe of #47

JeeberC4 · 2022-06-06T18:13:21Z

Issue recreated with script that includes all required data.

HardlyDifficult added bug Something isn't working duplicate This issue or pull request already exists 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels May 30, 2022

HardlyDifficult closed this as completed May 30, 2022

HardlyDifficult mentioned this issue May 30, 2022

QA Report #294

Open

JeeberC4 removed bug Something isn't working duplicate This issue or pull request already exists 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Jun 6, 2022

JeeberC4 added the invalid This doesn't seem right label Jun 6, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Owner can frontrun exercise to increase fees #323

Owner can frontrun exercise to increase fees #323

HardlyDifficult commented May 30, 2022

HardlyDifficult commented May 30, 2022

JeeberC4 commented Jun 6, 2022

Owner can frontrun exercise to increase fees #323

Owner can frontrun exercise to increase fees #323

Comments

HardlyDifficult commented May 30, 2022

HardlyDifficult commented May 30, 2022

JeeberC4 commented Jun 6, 2022