Ambiguous situation exists for calling triggerDepeg
and triggerEndEpoch
functions when block.timestamp
is set to epochEnd
#421
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate
This issue or pull request already exists
resolved
Finding has been patched by sponsor (sponsor pls link to PR containing fix)
satisfactory
satisfies C4 submission criteria; eligible for awards
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L83-L110
https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L148-L192
https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L198-L248
Vulnerability details
Impact
As shown by the following
isDisaster
modifier, which is used by thetriggerDepeg
function below, and thetriggerEndEpoch
function below, whenblock.timestamp
is set toepochEnd
, both of thetriggerDepeg
andtriggerEndEpoch
functions are allowed to be called. This creates an ambiguous situation. If the depeg event occurs atepochEnd
, the hedge users can have incentive to call thetriggerDepeg
function so they can gain assets from the risk users while the risk users can find this unfair because they believe that the epoch is already over. This encourages racing between thetriggerDepeg
andtriggerEndEpoch
transactions. If thetriggerEndEpoch
transaction is included and executed before thetriggerDepeg
transaction, then the risk users win and the hedge users lose while the vice versa is also true. Either way, it is advantegous to one group and is unfair to the other.https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L83-L110
https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L148-L192
https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L198-L248
Proof of Concept
Please add the following
error
and append the following test intest\AssertTest.t.sol
. This test will pass to demonstrate the described scenario.Tools Used
VSCode
Recommended Mitigation Steps
https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L105-L108 can be updated to the following code:
or
https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L202-L204 can be updated to the following code:
but not both for preventing this ambiguous situation.
The text was updated successfully, but these errors were encountered: