BathPair requires absolute trust in strategist with no safeguards #74
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate
This issue or pull request already exists
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Comments
code423n4
added
2 (Med Risk)
bghughes
added
the
sponsor acknowledged
|
Strategists are assumed trusted in the current centralized system |
|
duplicate of #211 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/rubiconPools/BathPair.sol#L535-L563
Vulnerability details
Submitting as medium risk bug because it would have to be a whitelisted strategist
Impact
Malicious strategist can steal all user funds
Proof of Concept
TailOff allows strategist to specify both the minimum out and the contract responsible for swapping tokens. Malicious/compromised strategist can easily steal all user funds in contract by referencing malicious _stratUtil and 0 for the hurdle amount or by sandwich attack on legitimate _stratUtil and hurdle of 0
Tools Used
Recommended Mitigation Steps
Limit _stratUtil to whitelisted contract and implement a slippage limit
The text was updated successfully, but these errors were encountered: