Submission Details
Severity:
Users able to participate liquidation pool with less than 100 tokens
Summary
According to the whitepaper section 2.8.1 Liquidation Pool, in the third paragraph, users must participate with minimum of 100sEURO. However, it wasn't implemented in the function. Furthermore, the minimum amount to participate can be defined in governance which is not added in the function.
Vulnerability Details
function increasePosition(uint256 _tstVal, uint256 _eurosVal) external { //@audit allow non equal stake
require(_tstVal > 0 || _eurosVal > 0);
consolidatePendingStakes();
ILiquidationPoolManager(manager).distributeFees();
if (_tstVal > 0) IERC20(TST).safeTransferFrom(msg.sender, address(this), _tstVal);
if (_eurosVal > 0) IERC20(EUROs).safeTransferFrom(msg.sender, address(this), _eurosVal);
pendingStakes.push(PendingStake(msg.sender, block.timestamp, _tstVal, _eurosVal));
addUniqueHolder(msg.sender);
}
Impact
This goes against documentation which states that users must have 100 sEURO tokens amount or the DAO minimum amount.
Tools Used
Manual Review
Recommendations
Ensure that the staked amount is more than initial minimum amount of 100 sEURO. Which uint variable can be set by governance.
Updates
Lead Judging Commences
hrishibhat over 1 year ago
Submission Judgement Published Reason: Non-acceptable severity
Assigned finding tags:
informational/invalid
thedoctor
over 1 year ago
Prize pool breakdown
Total prize
20,000 USDC
nSLOC
60933 USDC / LOC
17,500 USDC
2,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.