Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QA Report #16

Open
code423n4 opened this issue Feb 18, 2022 · 3 comments
Open

QA Report #16

code423n4 opened this issue Feb 18, 2022 · 3 comments
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-02-hubble/blob/main/contracts/VUSD.sol#L48
https://github.com/code-423n4/2022-02-hubble/blob/main/contracts/VUSD.sol#L43

Vulnerability details

Impact

In VUSD.sol the mintWithReserve() and withdraw() functions both handle minting and burning of the vusd tokens. Both of these function don't require that the amount passed in is larger than 0 while still emitting an event through the open zepellin erc20 library. Leaving out this check can trick the protocol into thinking that funds were minted or burned when in fact they were not. This is especially important if the protocol will ever be relying on these events to make important decisions in the code.

Proof of Concept

https://github.com/code-423n4/2022-02-hubble/blob/main/contracts/VUSD.sol#L48

https://github.com/code-423n4/2022-02-hubble/blob/main/contracts/VUSD.sol#L43

Tools Used

Manual code review

Recommended Mitigation Steps

add to mintWithReserve() and withdraw() functions in VUSD.sol:
require(amount > 0, "Amount cannot be 0");
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Feb 18, 2022
code423n4 added a commit that referenced this issue Feb 18, 2022
@code423n4
jayjonah8 issue #16
70b63ae
@atvanguard
Copy link
Collaborator

Duplicate of #119

@atvanguard atvanguard marked this as a duplicate of #119 Feb 24, 2022
@atvanguard atvanguard added the duplicate This issue or pull request already exists label Feb 24, 2022
@moose-code moose-code added QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Mar 6, 2022
@moose-code
Copy link
Collaborator

Not agreeing its a duplicate of #119 as it doesn't talk about ddos. Making this low.

@CloudEllie CloudEllie removed the duplicate This issue or pull request already exists label Mar 11, 2022
@CloudEllie CloudEllie reopened this Mar 11, 2022
@JeeberC4
Copy link

Since this issue was downgraded to a QA level, and the warden did not submit a separate QA report, we've renamed this one to "QA report" for consistency.
The original title, for the record, was VUSD.sol functions don't check if amount > 0

@JeeberC4 JeeberC4 changed the title VUSD.sol functions don't check if amount > 0 QA Report Mar 24, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@atvanguard @moose-code @code423n4 @CloudEllie @JeeberC4