Lines of code

Vulnerability details

Mitigation of H-01: Mitigation Error, see comments

Link to Issue: code-423n4/2023-09-asymmetry-findings#62

Comments

The sponsor has provided a detailed response in the following comment: code-423n4/2023-09-asymmetry-findings#62 (comment)

In summary their analysis is:

• The conditions to expose the issue are unlikely, it needs a deviation of the intended ratio while also a deviation of the CVX/ETH Chainlink feed price.
• The sponsor was able to reproduce the issue, but for a maximum difference of 2% in the Chainlink CVX price, the difference between the target ratio and the real ratio needs to be large.

As the sponsor comments:

> Based on this analysis we think a 2% chainlink variance is an acceptable risk, even when the ratios are far apart.

However, the accepted risk is also justified by the introduction of a minimum delay in the withdrawal process:

> in another pull request we set a minimum withdraw time of 1 epoch so its impossible to instantly withdraw even if there are unlockable funds in the contract.

Given the error with the withdrawal delay in VotiumStrategy, detailed in issue [ADRIRO-NEW-H-01] (VotiumStrategy withdrawal can still be executed with minimal delay), which still offers the possibility of depositing into the protocol with minimal exposure to CVX, the attack is still feasible and can be performed under the right circumstances. The assessment is that the issue is still present and it has not been mitigated.

Assessed type

Other

The text was updated successfully, but these errors were encountered:

All reactions