Acidic Midnight Mustang
Medium
After a KYC'd user is provided signature, any wallet can call on their behalf and invest on their behalf.
// update kyc address and total amounts invested for this investment round (in stablecoin terms)
kycAddressInvestedPerRound[_params.kycAddress][
_params.investmentRound
] += postFeeStableAmountEquivalent;
totalInvestedPerRound[_params.investmentRound] += postFeeStableAmountEquivalent;
// transfer tokens from msg.sender to this contract (in payment token terms)
IERC20(_params.paymentTokenAddress).safeTransferFrom(
msg.sender,
address(this),
_params.amountToInvest
);Any time a user wishes to invest, there's 2 restrictions they have to comply with:
- their new total investment must not exceed their allowed limit
- the total invested amount should not exceed the cap.
This means that any time a KYC'd user attempts to max invest, a malicious user can front-run them and invest a dust amount, just so that their new total now exceeds the limit and ultimately the transaction reverts.
As the investments and the signature have a deadline, this would allow for a malicious user to fully DoS a investor out of the investment.
Lack of access control. Having certain caps set.
- User is given a max investment of $2000.
- User wishes to invest for the total $2000 and they submit such transaction.
- Griefer sees said transaction and front-runs it, investing a dust amount.
- User's tx now reverts due to exceeded cap
- Repeat steps 2-4 until either the deadline of the signature or of the investment round comes
Investor might be forced out of the investment round.
If investment exceeds limit, instead of reverting, invest up to the cap.