The asset token vault contract is at risk of an inflation attack
Summary
An inflation attack is a type of attack used when vault contracts, like the asset token contract, are launched. An attacker can monitor to the mempool to anticipate when the asset token contract will be launched, guaranteeing he will be the first depositor. He deposits a very small amount of the underlying token (like 1 wei's worth). Next he monitors the mempool for the next depositor and unsuspecting victim, who intends to deposit a much larger amount (say, 10,000 tokens). The attacker pays extra gas to execute a large flash loan before the second depositor's deposit for the purpose of driving up amount of the "fee" in the calculation of the exchange rate. By doing this, the victim will receive a far lower share of the asset tokens than they deserve because the formula is the amount of tokens deposited divided by the exchange rate, and the attacker has driven the exchange rate very high.
Because the attacker is the only other person who has deposited, they have an unfairly large portion of asset tokens, and they immediately redeem, stealing underlying tokens from the victim.
Vulnerability Details
This portion of the updateExchangeRate function is susceptible to being manipulated by someone taking out a large flash loan to drive up the amount of "fee" in the calculation:
Impact
The second depositor gets a large amount of their tokens stolen by the attacker.
Tools Used
Manual review
Recommendations
Have a trusted person make the first deposit and have the first deposit be a fairly large amount
Lead Judging Commences
can't redeem because of the update exchange rate
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.