Omniscia BlazeSwap Audit
BlazeSwapERC20Snapshot Manual Review Findings
BlazeSwapERC20Snapshot Manual Review Findings
BSC-01M: Improper Snapshot ID Validation
Type | Severity | Location |
---|---|---|
Logical Fault | BlazeSwapERC20Snapshot.sol:L60 |
Description:
The snapshotId
validation check performed at _valueAt
allows the snapshotId
to contain a value of block.number
thus permitting flash-loans and similar attack vectors to yield an inflated value at the current block.
Impact:
It currently is possible to achieve inflated _valueAt
evaluations that can compromise all systems using the snapshotted value such as governance modules.
Example:
59function _valueAt(uint256 snapshotId, Snapshot[] storage snapshots) private view returns (bool, uint256) {60 require(snapshotId > 0 && snapshotId <= block.number, 'BlazeSwap: INVALID_SNAPSHOT_ID');
Recommendation:
We advise the current block.number
to be prohibited from querying similarly to the Compound and OpenZeppelin Comp
-like token implementations.
Alleviation:
The BlazeSwap team stated that the token should mimic the functionality of Flare Network's WNAT token and that it is up to integrators to properly validate that the block.number
represents a number that is before the latest block. As a result, we consider this exhibit nullified given that the current implementation represents intended behaviour.