Omniscia BlazeSwap Audit

BlazeSwapERC20Snapshot Manual Review Findings

BlazeSwapERC20Snapshot Manual Review Findings

BSC-01M: Improper Snapshot ID Validation

Description:

The snapshotId validation check performed at _valueAt allows the snapshotId to contain a value of block.number thus permitting flash-loans and similar attack vectors to yield an inflated value at the current block.

Impact:

It currently is possible to achieve inflated _valueAt evaluations that can compromise all systems using the snapshotted value such as governance modules.

Example:

contracts/core/BlazeSwapERC20Snapshot.sol
59function _valueAt(uint256 snapshotId, Snapshot[] storage snapshots) private view returns (bool, uint256) {
60 require(snapshotId > 0 && snapshotId <= block.number, 'BlazeSwap: INVALID_SNAPSHOT_ID');

Recommendation:

We advise the current block.number to be prohibited from querying similarly to the Compound and OpenZeppelin Comp-like token implementations.

Alleviation:

The BlazeSwap team stated that the token should mimic the functionality of Flare Network's WNAT token and that it is up to integrators to properly validate that the block.number represents a number that is before the latest block. As a result, we consider this exhibit nullified given that the current implementation represents intended behaviour.