Upgraded Q -> M from #268 [1674418407759] #668
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
duplicate-377
satisfactory
satisfies C4 submission criteria; eligible for awards
Judge has assessed an item in Issue #268 as M risk. The relevant finding follows:
[L-02] Front running attacks by the owner
Project has one possible attack vectors by the onlyOwner:
dao.Fees , burnsFees , referralFees , botFees variable;
It determines the fees rate
The default deposit fees equal zero.
Can be updated by onlyOwner with function Fees
When a user use feed, expecting to have zero fee , the owner can frontrun the fee function and increase fees to 10000 bps , If the size is big enough, that may be a significant amount of money.
contracts/Trading.sol:
951 /
952: function setFees(bool _open, uint _daoFees, uint _burnFees, uint _referralFees, uint _botFees, uint _percent) external onlyOwner {
953: unchecked {
954: require(_daoFees >= _botFees+_referralFees2);
955: if (_open) {
956: openFees.daoFees = _daoFees;
957: openFees.burnFees = _burnFees;
958: openFees.referralFees = _referralFees;
959: openFees.botFees = _botFees;
960: } else {
961: closeFees.daoFees = _daoFees;
962: closeFees.burnFees = _burnFees;
963: closeFees.referralFees = _referralFees;
964: closeFees.botFees = _botFees;
965: }
966: require(_percent <= DIVISION_CONSTANT);
967: vaultFundingPercent = _percent;
968: }
969: }
Recommended Mitigation Steps
Use a timelock to avoid instant changes of the parameters.
The text was updated successfully, but these errors were encountered: