How much to approve before calling mintTo #86
Labels
1 (Low Risk)
Assets are not at risk. State handling, function incorrect as to spec, issues with comments
bug
Warden finding
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Comments
code423n4
added
1 (Low Risk)
frank-beard
added
the
sponsor acknowledged
|
Agree with finding, options could be:
Or alternatively, to save gas, and because I don't believe it causes too many issues, you may decide to have the share stream done separately and not on every mint |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Handle
pauliax
Vulnerability details
Impact
I see one inconvenience with function mintTo and handleFees. Because handleFees changes ibRatio, and later pullUnderlying is invoked, as a user I may not know for how much amount of tokens should I approve Basket contract as this new recalculated ibRatio may change tokenAmount. Usually, it is a good security practice not to give infinite approvals, but because handleFees uses block.timestamp which cannot be reliably predicted and depends on the network congestion, I assume it would be hard to precalculate the exact amounts to approve for pullUnderlying.
Recommended Mitigation Steps
I am not sure what's the best solution here, maybe handleFees can be extracted as a standalone function that can be invoked anytime by anyone, and then do not call it from other functions if that works in your situation. Or fees can be handled afterward but then it may impact other parts. So submitting this FYI, maybe you will find this not relevant.
The text was updated successfully, but these errors were encountered: