Severity: High

Files Affected

• cadence/contracts/FlowALPRebalancerPaidv1.cdc

Description

createPaidRebalancer() is access(all), callable by anyone who holds a valid Capability<auth(FlowALPv1.ERebalance) &FlowALPv1.Position>: Each call creates a Rebalancer using defaultRecurringConfig — the admin's txFunder — and immediately schedules the first run via fixReschedule() → scheduleNextRebalance(), which withdraws FLOW from the admin's txFunder. There is no deduplication: each call produces a unique UUID and unique storage path, so multiple rebalancers can be created for the same position. Attack:

• A single participant creates one position with minimal deposit
• Issues N capabilities (auth(ERebalance) &Position) to the same position
• Calls createPaidRebalancer N times — each immediately withdraws feeWithMargin from the admin's txFunder
• Each scheduled execution withdraws another feeWithMargin for the next run
• Total drain: N * feeWithMargin at creation, then N * feeWithMargin per interval indefinitely The attacker needs EParticipant access to create a position (beta-gated), but a single whitelisted participant is sufficient. There is no rate limiting, no cap on number of rebalancers, and no per-position deduplication.

Recommendation

Restrict createPaidRebalancer to admin-only access, or add per-position deduplication and rate limiting. At minimum, track which position IDs already have a paid rebalancer and reject duplicates.

Parent Issue: #209