Platform: Code4rena
Start Date: 04/02/2022
Pot Size: $30,000 USDC
Total HM: 3
Participants: 37
Period: 3 days
Judge: leastwood
Id: 84
League: ETH
Rank: 14/37
Findings: 1
Award: $625.19
🌟 Selected for report: 0
🚀 Solo Findings: 0
The admins are the only ones that are able to finalize the sale. Throughout the token buying process, the admins are transferred tokenIn tokens, and the users are expecting to be able to get the corresponding tokenOut tokens once the sale is finalized. The admin can grief the users by never calling finalize, and then the users will not be able to claim their tokens. This isn't necessarily a gain for the admins, but the ability for the admins to take tokenIn tokens and the users never receive their corresponding tokenOut tokens is an issue. Even though the admins may be well intentioned, it is best to mitigate ways that the admins can negatively affect the users, and this is a major way the admins can grief the users.
See code for finalize here. Notice that it is only callable by an admin.
Inspection.
There should be a few extra logic checks in the finalize function (e.g. making sure that a predetermined amount of tokens have been purchased). Then, the finalize function should have the onlyOwner modifier removed, as then there would be no way for the admins to grief users out of all of the tokenOut tokens that they are owed.
#0 - GalloDaSballo
2022-02-10T02:19:06Z
I agree that finalize should be permissioneless, as for the grief, the whole idea behind finalize is that it will be called by the owner right after they sent the tokenOut
Not sure about severity but I think the finding has merit
#1 - 0xleastwood
2022-03-14T12:01:56Z
Duplicate of #50
#2 - 0xleastwood
2022-03-16T12:26:22Z
Duplicate of #61