This repository has been archived by the owner on Jan 21, 2024. It is now read-only.
0xTheC0der - SetToken
can be indefinitely locked by AuctionRebalanceModuleV1
#25
Labels
Excluded
Excluded by the judge without consulting the protocol or the senior
Non-Reward
This issue will not receive a payout
0xTheC0der
medium
SetToken
can be indefinitely locked byAuctionRebalanceModuleV1
Summary
Issuance, redemption, and fee collection of a
SetToken
can indefinitely locked byAuctionRebalanceModuleV1
.Vulnerability Detail
The AuctionRebalanceModuleV1.unlock(...) method should allow anyone to unlock a previously locked
SetToken
(locked by AuctionRebalanceModuleV1.startRebalance(...) for a rebalance auction) as soon as the rebalance duration has elapsed or early unlock is possible (targets are met) in order to re-enable issuance, redemption, and fee collection of aSetToken
. Moreover, it is worth to mention that aSetToken
can only be unlocked by themsg.sender
who locked it, i.e. via AuctionRebalanceModuleV1.unlock(...) in this case.However, as already shown by an existing test case, the early unlock can be blocked although all targets are met by setting
raiseTargetPercentage > 0
via AuctionRebalanceModuleV1.setRaiseTargetPercentage(...). Furthermore, the rebalance duration can be extended at any time by theSetToken
manager by calling AuctionRebalanceModuleV1.startRebalance(...) again with an unreasonably high rebalance duration (there is no upper limit).Anyways, there is an even simpler way to cause DoS on every unlock attempt (without even setting
raiseTargetPercentage > 0
) by just setting the rebalance duration totype(uint256).max
which will cause AuctionRebalanceModuleV1._isRebalanceDurationElapsed(...) to revert with 'SafeMath: addition overflow' on every unlock attempt.Impact
Issuance, redemption, and fee collection of a
SetToken
can be indefinitely locked byAuctionRebalanceModuleV1
by simply blocking or causing DoS of AuctionRebalanceModuleV1.unlock(...).This behaviour should not be possible and is not suggested by the AuctionRebalanceModuleV1.unlock(...) method which is accessible by anyone and should allow to unlock a
SetToken
at least after a reasonable amount of time.Code Snippet
The following PoC modifies existing test cases to demonstrate DoS on all unlock attempts. Just apply the diff below and run the test with
npx hardhat test test/protocol/modules/v1/auctionRebalanceModuleV1.spec.ts
.Tool used
Manual Review
Recommendation
Enforce a reasonable upper limit on the rebalance duration and only allow a new rebalance auction to be started when the previous one elapsed or has concluded (met targets, early unlock). See issue "New auction rebalance can be started before previous one concluded or duration elapsed".
Alternative: In case the described behaviour is intended, the
onlyManagerAndValidSet(_setToken)
modifier should be added to theunlock(...)
method in order to make it clear that theSetToken
manager is effectively in total control of the lock/unlock mechanism.The text was updated successfully, but these errors were encountered: