Skip to content

Latest commit

 

History

History
38 lines (24 loc) · 1.29 KB

004.md

File metadata and controls

38 lines (24 loc) · 1.29 KB

Acidic Midnight Mustang

Medium

Users can enter with an unfair payment token price since signatures cannot be revoked.

Summary

When users are provided signatures, they're ultimately given the exchange rate at which the protocol will accept the payment token.

        uint256 preFeeStableAmountEquivalent = (_params.amountToInvest * _params.exchangeRateNumerator) /
            exchangeRateDenominator;

Then, up until the signature's deadline or the round's investmentRoundEndTimestamp comes, the user can invest.

In case the payment token's price drops significantly or even crashes, since signatures cannot be revoked, the user will be able to invest with a significantly overpriced valuation of their payment token.

Root Cause

Signatures cannot be revoked

Attack Path

  1. User is provided signature to invest with a stablecoin valued at $1.
  2. Said stablecoin depegs and goes to $0.50
  3. User can now invest with their deppeged stablecoin at valuation of $1.
  4. Signer has no way of preventing this.

Impact

Investing at an unfair valuation of assets

Affected Code

https://github.com/sherlock-audit/2024-11-vvv-exchange-update/blob/main/vvv-platform-smart-contracts/contracts/vc/VVVVCInvestmentLedger.sol#L165

Mitigation

Add a function to revoke signatures.