Platform: Code4rena
Start Date: 31/01/2023
Pot Size: $90,500 USDC
Total HM: 47
Participants: 169
Period: 7 days
Judge: LSDan
Total Solo HM: 9
Id: 211
League: ETH
Rank: 92/169
Findings: 2
Award: $57.50
🌟 Selected for report: 0
🚀 Solo Findings: 0
22.0241 USDC - $22.02
https://github.com/code-423n4/2023-01-popcorn/blob/d95fc31449c260901811196d617366d6352258cd/src/vault/Vault.sol#L539-L546 https://github.com/code-423n4/2023-01-popcorn/blob/d95fc31449c260901811196d617366d6352258cd/src/vault/Vault.sol#L629-L636
Vault owner can change fee parameters before quitPeriod, and users may have unexpected results.
uint256 public quitPeriod = 3 days;
Normally quitPeriod is set to 3 days.
function setQuitPeriod(uint256 _quitPeriod) external onlyOwner { if (_quitPeriod < 1 days || _quitPeriod > 7 days) revert InvalidQuitPeriod(); quitPeriod = _quitPeriod; emit QuitPeriodSet(quitPeriod); }
When vault owner proposeFees, vault owner needs to wait three days to change fees. But after waiting for one-day vault owner can setQuitPeriod to 1 day.
function changeFees() external { if (block.timestamp < proposedFeeTime + quitPeriod) revert NotPassedQuitPeriod(quitPeriod); emit ChangedFees(fees, proposedFees); fees = proposedFees; }
After changing quitPeriod to 1 day, Vault owners can changeFees() whenever they want.
Manual Review
#0 - c4-judge
2023-02-16T06:35:57Z
dmvt marked the issue as duplicate of #363
#1 - c4-sponsor
2023-02-18T12:06:18Z
RedVeil marked the issue as sponsor confirmed
#2 - c4-judge
2023-02-23T23:03:44Z
dmvt marked the issue as partial-25