Flat Money - Audit Report
Overview
The Flat Money protocol allows people to deposit Rocket Pool ETH (rETH) and mint UNIT, a decentralized delta-neutral flatcoin designed to outpace inflation. Flat Money also offers Leverage Traders the ability to deposit rETH and open rETH leveraged long positions through perpetual futures contracts.
References
Infos
| Details | Findings | nSLOC | Payout | Platform | Category |
| Flat Money | 1M | 2215 | $41.11 | Sherlock | Perps |
| Ranking | Start | End | Duration | Report |
| #31 of 257 | 01/22/24 | 02/04/24 | 13 days | 📄 |
Achievement
With less than one month working as smart contract security researcher, I managed to find a medium severity issue, in my first audit contest. I was rewarded with $41,11 and placed 31/257 in Flat Money contest on Sherlock (see sherlock's tweet with my classification at 31st).
Medium findings
[M-1] Malicious actors can accumulate a huge amount of internal points (FMP) and inflate their value
Summary
Malicious actors can take advantage of the absence of a time restriction (or penalty) mechanism for withdrawing collateral to earn internal points (FMP) at a very low rate (only the 0.3% withdraw fee), inflating their value.
Vulnerability Detail
A bad actor can deposit collateral, earning FMP points and withdraw all the collateral deposited instantly, paying only the small withdraw fee (0.3% - keeper fees can be avoided if the order is executed by the user). Once there is no time restriction to earn points or a penalty mechanism to reduce points when withdrawing collateral, the bad actor can repeat this process (almost) indefinitely (until all its collateral is spent paying the withdraw fee), accumulating FMP points and inflating their value.
Impact
Malicious users can accumulate a huge amount of FMP, inflating their value.
Code Snippet
Tool used
Foundry
Recommendation
Implement a mechanism that restricts the FMP earnings by time and/or reduces the point quantity when a user withdraws collateral.