set `feePerSecond` too high allow owner to drain depositor funds
Summary
The owner can manipulate shares and execute a rug pull by setting
feePerSecondexcessively high.
Vulnerability Details
the owner have the ability to set the
FeePerSecondwhich isuint256to any . (it's not bounded), by calling the function updateFeePerSecond() the the owner can raise thefeetoo high which will mintLPthe Treasury contract which also the owner have the ability to change it's address to any.With the increased LP token supply, the value of users' shares is diluted, rendering them nearly worthless.
the owner then can withdraw this lps and rugpull the users.
Impact
users lose thier deposits .
Tools Used
manual review .
Recommendations
set a
maxandminfee that the owner can set perSecond.
Lead Judging Commences
Centralization Risk
Impact: High Likelihood: Low Centralization risk is regarded a known issue. This tag will include all submissions : - Admin setter functions without validations
Centralization Risk
Impact: High Likelihood: Low Centralization risk is regarded a known issue. This tag will include all submissions : - Admin setter functions without validations
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.