The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Users able to stake with different proportionate of tokens, going against intended business logic

thedoctor

Summary

According to the whitepaper section 2.8.1 Liquidation Pool, it is stated the the sEURO and TST tokens staked by participants must have equal proportions of 1:1. This means that if you were to increase the position of TST tokens by 1, sEURO must increase by 1. However, in the function, users can choose to increase their position regardless of the ratio. This goes against business implementation and will cause the pegging system to fail.
Whitepaper

Vulnerability Details

The governance token TST, is intended to peg 1:1 with sEURO. Since we know the value should remain the same, if the user increasePosition with 100 TST tokens, and 1 sEURO token. This means the liquidation pool is not worth anything in terms of value with sEURO since they are not equal in amount and thus not equal in value.

function increasePosition(uint256 _tstVal, uint256 _eurosVal) external { //@audit allow non equal stake

require(_tstVal > 0 || _eurosVal > 0);

consolidatePendingStakes();

ILiquidationPoolManager(manager).distributeFees();

if (_tstVal > 0) IERC20(TST).safeTransferFrom(msg.sender, address(this), _tstVal);

if (_eurosVal > 0) IERC20(EUROs).safeTransferFrom(msg.sender, address(this), _eurosVal);

pendingStakes.push(PendingStake(msg.sender, block.timestamp, _tstVal, _eurosVal));

addUniqueHolder(msg.sender);

}

Impact

This goes against documentation which states that users must have equal amounts of tokens staked.

Tools Used

Manual Review

Recommendations

Use an uint256 amount parameter for both tokens as amount. This ensure equal amount of tokens.

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

informational/invalid

thedoctor Submitter

over 1 year ago

hrishibhat Lead Judge

over 1 year ago

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.