Spicy Hickory Mandrill
High
When calling for an expansion on Good Dollar, the lastExpansion time is set to block.timestamp regardless of what point in the frequency period you're at. It then requires a full expansionFrequency period to be able to be called again.
Because of this, an attacker can wait 1.99 periods from the last expansion, call to expand, and lastExpansion will be set to block.timestamp. The next expansion can then only be called once 2.99 periods have passed, and numberOfExpansions to be calculated will be rounded down so, in what should be 3 periods, only 2 expansions occur.
If an attacker keeps this up, they can send a transaction every 1.99 periods to effectively half the amount of expansions that occur.
https://github.com/sherlock-audit/2024-10-mento-update/blob/098b17fb32d294145a7f000d96917d13db8756cc/mento-core/contracts/goodDollar/GoodDollarExpansionController.sol#L232 determines the number of expansions to occur, which will always round down to a whole number regardless of when in the frequency period you are.
https://github.com/sherlock-audit/2024-10-mento-update/blob/098b17fb32d294145a7f000d96917d13db8756cc/mento-core/contracts/goodDollar/GoodDollarExpansionController.sol#L179 then sets lastExpansion to block.timestamp.
n/a
n/a
- Attacker calls
mintUBIFromExpansionfunction after 1.99 frequency periods have passed. - Attacker continues to do the same.
The amount that should be able to be minted from expansion is cut by 50%.
n/a in this case
No response