Platform: Code4rena
Start Date: 13/12/2021
Pot Size: $75,000 USDC
Total HM: 11
Participants: 30
Period: 7 days
Judge: leastwood
Total Solo HM: 4
Id: 68
League: ETH
Rank: 14/30
Findings: 1
Award: $1,100.03
🌟 Selected for report: 1
🚀 Solo Findings: 0
🌟 Selected for report: pedroais
1001.4677 USDC - $1,001.47
pedroais
Changing the entry and exit fee on the basket doesn't require a timelock. Users could be frontrunned with a higher fee before entering a basket. The issue is a low risk since there is a max cap on 10% fee so it can't be set to 100%.
Even if this attack could only be made by privileged roles adding a timelock would make the protocol more trustless.
When a user enters a basket with 0 or low fees his transaction can be frontrunned. Entry and exit fees could be changed to max which is a value the user didn't necessarily agree to.
Add a timelock to change entry and exit fees.
pedroais
Eth could be permanently locked by mistake. The contract has a receive function but no way to extract sent funds. The exitEth function does send eth to users but extra funds in the contract's balance will still be locked.
Remove receive function
#0 - 0xleastwood
2022-01-23T04:28:46Z
Duplicate of #253