triggerDepeg()
and triggerEndEpoch()
can be frontrunned
#141
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate
This issue or pull request already exists
edited-by-warden
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-09-y2k-finance/blob/2175c044af98509261e4147edeb48e1036773771/src/Vault.sol#L203
Vulnerability details
Impact
In
Vault.withdraw()
you have modifierepochHasEnded()
. But it's just checking time, no check ifController
already calledtriggerDepeg()
ortriggerEndEpoch()
So anyone can frontrun
Controller
transactions and withdraw their funds before without losses. For example risker can frontrun trx and withdraw funds in case oftriggerDepeg()
without funds lossSo he will save his funds and get
amount
backhttps://github.com/code-423n4/2022-09-y2k-finance/blob/2175c044af98509261e4147edeb48e1036773771/src/Vault.sol#L203
Tools Used
vs code
Recommended Mitigation Steps
Add explicit var, tells that epoch already ended by
Controller
. And only after that allow users to withdraw fundsThe text was updated successfully, but these errors were encountered: