UVT-03: Potential Misbehaviour of the System

Question

UVT-03: Potential Misbehaviour of the System

thegostep opened this issue 4 years ago · comments

type	severity	location
Logical Issue	Minor	https://github.com/ampleforth/token-geyser-v2/blob/c970676aaecb08e942fe1088a4b1ddcb26655fe6/contracts/UniversalVault.sol%23L278-L293

Description:

The externalCallsMulti function iterates and executes all calls provided to it before evaluationg that the balance sheet of the vault is correct and finalizing the function's execution. This allows one to actually withdraw tokens and utilize them prior to returning them in the sequence of external calls performed by the contract which may be an undesired capability of the system.

Recommendation:

We advise that this feature is documented if desired or prohibited by evaluating the balance sheet on each invocation.

Stephane · Answer 1 · Sun Feb 14 2021 05:36:57 GMT+0800 (China Standard Time)

I believe this is also possible through the externalCall() function if using a proxy on the other side.

In any case, will document.