Severity: Medium / High
Date: Thursday, October 22nd, 2020
Reporter: Kevin Foesenek
Payout: $20,000 USD of WETH (transaction)
Just prior to launch a security researcher discovered a flaw in the PermitAndDepositDai contract. This flaw would have allowed an attacker to front-run the "deposit" transaction and take the deposited amount. This would have affected any new deposits to the system.
References to the contract were removed from the user interface, and a fix was immediately deployed to mainnet and published via NPM.