Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-04-PHUTURE-FINDINGS-ISSUES-48
HistoryApr 21, 2022 - 12:00 a.m.

Should implement a periphery contract for user to mint indexToken

2022-04-2100:00:00
Code4rena
github.com
4
JSON

Lines of code
<https://github.com/code-423n4/2022-04-phuture/blob/594459d0865fb6603ba388b53f3f01648f5bb6fb/contracts/IndexLogic.sol#L31&gt;

Vulnerability details

Impact

User can lose their fund

Proof of Concept

When users want to mint an index token, users need to transfer their assets to address(vToken) first, then call the mint() function of IndexLogic.sol. If users make it into 2 transactions, miner can manipulate it/ After users transfer their token to address(vToken), miner can front-run, and call mint() before users call mint(), and of course, the index token will be minted to miner instead of users
==> User will lose their fund

Tools Used

manual review

Recommended Mitigation Steps

Implement a contract to help users execute 2 actions (transfer to vToken + mint) into 1 transaction (like router in uniswapV2)

The text was updated successfully, but these errors were encountered:

All reactions

JSON