Lines of code
Vulnerability details
Original Issue
Details
- The issue outlined above is about making instant profit by depositing before the boost happens and withdrawing right after the boost occurs. Those who locked their positions for 16+ weeks get the same profit as those who didn’t, which could decentivize users to lock their liquidity.
Mitigation
Conclusion
- LGTM, but would like to raise the following question:
- Imagine the following:
- lockedBalances[0].amount - cvxUnlockObligations == x, x > 0,
- applyRewards() is about to be invoked nearly at lockedBalances[0].unlockTime - currentEpochStartingTime == 1 epoch - delta, (i.e. nearly close to the time, when lockedBalances[0] is available for finalization)
- Seeing this, Bob could provide s amount of ETH, so that P(s) == x, where P(s) - amount of CVX per s amount of eth provided right before applyRewards() being invoked. After the boost, he is able to withdraw his deposit with an additional boost after waiting delta amount of time, which is significantly less than 1 epoch.
Recommended Mitigation Steps:
- Short term: I’m a little bit suspicious about it, but anyways, does it requires the min amount of wait time, which 1 epoch being applied in case if totalLockedBalancePlusUnlockable < cvxUnlockObligations, when requesting withdrawal?
Assessed type
Context
The text was updated successfully, but these errors were encountered:
All reactions