Add extra deposit and withdraw methods #150
Conversation
…tion Add rebalancing user position #152
| @@ -133,8 +155,8 @@ mod Deposit { | |||
| ekubo_limits: EkuboSlippageLimits, | |||
| pool_price: TokenPrice | |||
| ) { | |||
| let user_acount = get_tx_info().unbox().account_contract_address; | |||
| assert(user_acount == self.owner.read(), 'Caller is not the owner'); | |||
| let user_account = get_tx_info().unbox().account_contract_address; | |||
There was a problem hiding this comment.
You are using let user_account = get_tx_info().unbox().account_contract_address; here and in close_position, as opposed to using get_caller_address() in withdraw and extra_deposit. I was wondering if there is a special reason for this?
Ideally i think it should be replaced by get_caller_address(). You can read about the security implication at:
https://github.com/starknet-edu/starknetbook/blob/8cfcd33ccd9afee425f31a10a721f20a84554ca5/src/ch02-14-security-considerations.md?plain=1#L150.
But in a nutshell, something like this could happen:
- Alice deploys her own Spotnet contract, and she is the owner
- Bob deploys another contract (let's call it 'Evil') that calls
loop_liquidityorclose_positionof Alice's Spotnet contract - Bob somehow tricks Alice into calling a function in Evil. Alice ends up unintentionally calling
loop_liquidityorclose_positionnot necessarily knowing so.
This is possible because you are checking the address of the tx's origin, not the caller address.
Granted this is not a big problem because Bob can't steal any money, but Bob might be able to cause Alice to lose money in certain cases, obviously. Probably some easiest way would be closing a premature position that hasn't profited or sending along a wrong price.
There was a problem hiding this comment.
There was an issue with testing. If there is a way we can bypass this behavior it would be great to use get_caller_address everywhere, but I didn't find any info on that. So get_caller_address is used when we are not swapping through Ekubo.
No description provided.