1/ percolator-prog: TradeCpi lets a taker force a position onto any margined LP who never signed the txs. The program trusts a "matcher consent" account to stand in for the LP - but that account is attacker-owned and writable, so you just write the bytes a real opt-in would. there's no engine-enfor
@toly·2026年6月4日·負面
閱讀原文AI 摘要
A vulnerability in TradeCpi lets attackers force positions onto LPs without their consent due to a flawed consent mechanism.
