Comments (2)
Yes, but only once. Could add a deployer check tho
from 2021-04-vader-findings.
After considerable evaluation and seeing the wide range of threat factors that were put forward by wardens related to this issue, I've decided that the potential threat here does extend beyond gas.
A worst case scenario could cause significant damage.
It is extremely unlikely that an attacker could successfully time this type of attack.
An attacker would have to successfully intercept more than one init due to the highly coupled nature of the contract. If they did so incorrectly, the entire system would not function. Presuming they succeeded, the team would also have to overlook the failure of or forget to make multiple critical transaction calls in their deployment scripts. To realize significant financial gains, the attacker would have to leave their exploit code in place for an extended period of time.
The likelihood is extremely low, but the impact would be critical. For this reason, I'm normalizing all of these reports to a Medium Risk.
from 2021-04-vader-findings.
Related Issues (20)
- Function can be simplified
- You don't need to recalculate exclusion fee every time
- token == arrayAnchors[i] HOT 1
- Unused ID field in structs HOT 1
- Storage variables are never used HOT 2
- Variables can be declared constant HOT 2
- flashProof is not effective at the start
- repayDelay is not used anywhere HOT 2
- _addDebtToMember and _removeDebtFromMember separately tracks debt and collateral HOT 1
- Functions can be declared external HOT 2
- Tokens are vulnerable to double-spend allowance HOT 2
- Unused and Unnecessary code
- Out-of-bound index access in function `getAnchorPrice` HOT 1
- Allowing duplicated anchors could cause bias on anchor price. HOT 1
- Unrestricted access to `lockUnits` allows an attacker to steal funds from any user. HOT 3
- Users may unintendedly remove liquidity under a phishing attack. HOT 3
- Unrestricted `addLiquidity` could cause unintended results on front-end apps that listen to events. HOT 3
- Could early return in function `borrowForMember` if `_collateral` is 0. HOT 1
- Unnecessary `else if` statement in `swapWithSynthsWithLimit` HOT 1
- Unnecessary function calls in `addLiquidity`
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from 2021-04-vader-findings.