Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

Latest commit

 

History

History
44 lines (27 loc) · 1.42 KB

017.md

File metadata and controls

44 lines (27 loc) · 1.42 KB
Raw

ck

medium

GLP has a 15 minute cooldown after purchase that is not accounted for

Summary

PLVGLPController manages the deposit of sGLP for the Plutus GLP Vault. Deposits will fail unless 15 minutes have passed after every purchase of sGLP.

Vulnerability Detail

According to Plutus Docs, "After buying GLP there is a 15 minute cooldown before being able to deposit for plvGLP". This is due to functionality built directly into GLP - https://plutusdao-1.gitbook.io/plutus-docs/products/plvassets/plvglp.

PLVGLPController has no checks for this and will therefore return true for the canCall function even when the 15 minute cooldown hasn't passed.

     function canCall(address, bool, bytes calldata data)
        external
        view
        returns (bool, address[] memory, address[] memory)
    {
        bytes4 sig = bytes4(data);

        if (sig == DEPOSIT || sig == DEPOSIT_ALL) {
            return (true, PLVGLP, sGLP);
        }

Impact

Operations involve sGLP are likely to constantly fail within the cooldown periods.

Code Snippet

https://github.com/sherlock-audit/2023-01-sentiment/blob/main/controller-55/src/plutus/PLVGLPController.sol#L48-L64

Tool used

Manual Review

Recommendation

Implement a timestamp check whenever sGLP is purchased by an account. This timestamp can then be used to check whether 15 minutes have passed before a further transfer of the sGLP is done.