race condition between triggerDepeg and triggerEndEpoch #124
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate
This issue or pull request already exists
old-submission-method
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
resolved
Finding has been patched by sponsor (sponsor pls link to PR containing fix)
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2022-09-y2k-finance/blob/2175c044af98509261e4147edeb48e1036773771/src/Controller.sol#L102
https://github.com/code-423n4/2022-09-y2k-finance/blob/2175c044af98509261e4147edeb48e1036773771/src/Controller.sol#L203
Vulnerability details
Impact
since both triggerDepeg and triggerEndEpoch can be triggered when block.timestamp == epochEnd and vault.strikePrice() >= getLatestPrice(vault.tokenInsured() at the specific block, it creates a race condition, thus undetermistic outcome.
Proof of Concept
https://github.com/code-423n4/2022-09-y2k-finance/blob/2175c044af98509261e4147edeb48e1036773771/src/Controller.sol#L102
https://github.com/code-423n4/2022-09-y2k-finance/blob/2175c044af98509261e4147edeb48e1036773771/src/Controller.sol#L203
Tools Used
Recommended Mitigation Steps
make one of the comparison inclusive
The text was updated successfully, but these errors were encountered: