search
Active Boosts

#46924 [SC-Low] Last user may exit with almost all of his values, but he'll purposefully leave a small 1e18 or a little more to grief `destroy()`

Submitted on Jun 6th 2025 at 08:56:36 UTC by @onthehunt for Audit Comp | Flare | FAssetsarrow-up-right

  • Report ID: #46924

  • Report Type: Smart Contract

  • Report severity: Low

  • Target: https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/implementation/CollateralPool.sol

  • Impacts:

    • Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)

hashtag
Description

hashtag
Brief/Intro

CollateralPool::destroy() is used to remove destroy an agent and collateral pool, but he may be griefed from that for a very small amount.

hashtag
Vulnerability Details

Let's say that agent wants to remove himself from the protocol for some reason and announce destroy via announceDestroyAgent(), which will make destroying the agent possible after the specified settings.withdrawalWaitMinSeconds

Nothing is left inside the pool and he successfully calls the aforementioned function.

But a malicious user spots that and decides to call CollateralPool.enter(), with the smaller amount available, which will be no more than a couple of bucks, if not less.

MIN_NAT = 1e18 which is 1e18 of flare native token, costing literal cents.

Via that, a user can block the destruction of an agent and its collateral pool for as I said, a very small amount and accessible amount of money, thus preventing the whole action.

hashtag
Impact Details

Agent and its collateral pool will never be destroyed, leaving broken functionality the reason of the bug, as we should be able to do so after announcing it, leaving the users responsible for their action (we should just destroy the pool even if there is something left, as the announcement starts only if there's nothing in the pool).

hashtag
References

https://github.com/flare-labs-ltd/fassets/blob/main/contracts/assetManager/implementation/CollateralPool.sol#L833

https://github.com/flare-labs-ltd/fassets/blob/main/contracts/assetManager/library/AgentsCreateDestroy.sol#L145-L176

https://github.com/flare-labs-ltd/fassets/blob/main/contracts/assetManager/library/AgentsCreateDestroy.sol#L134

hashtag
Proof of Concept

  1. Agent wants to destroy himself and the collateral pool as they are empty and calls announceDestroyAgent()

  2. Alice sees that and calls CollateralPool::enter() with the smallest value she can enter the pool

  3. The time passes that makes destroying the pool possible, but the agent has been griefed by Alice and can't do that

Previous#46858 [SC-High] The agent owner can exploit a malicious rewardManager to steal tokens from the protocolNext#46930 [SC-Low] `depositNat()` in `CollateralPool` Fails to Notify Asset Manager, By not calling the `updateCollateral`

Was this helpful?