The wider adoption of rUSDY is hindered because one can only send rUSDY to people that have bridged USDY #258
Comments
code423n4
added
2 (Med Risk)
|
Invalid assumptions. |
c4-pre-sort
added
the
low quality report
|
raymondfam marked the issue as low quality report |
|
raymondfam marked the issue as primary issue |
c4-pre-sort
added
the
primary issue
c4-judge
added
the
unsatisfactory
|
kirk-baird marked the issue as unsatisfactory: |
|
@raymondfam May I ask what assumption exactly you see as invalid? According to the team USDY on the Ethereum chain and rUSDY on any other chain are using different allow lists so in my oppinion the issue is valid. Could you take a second look at it @kirk-baird ? |
|
@BenRai1 You're able to add yourself to the allowlist. |
|
@kirk-baird But if anyone can add themselves to the allow list, this contradicts the purpose of the allow list since as far as I know the list should only be accessible to users with KFC. Maybe @tom2o17 can shed some light on this? |
|
I do agree with you that the allow list does not seem effective as anyone can add themselves. Essentially user's just need to spend the gas to add themselves. That being said I don't think this would qualify for Medium as the usual operation of an allow list is that some admin can add users. In which case it would be the admin's responsibility to add new users (or if users are added on another chain they can use the bridge). |
Lines of code
https://github.com/code-423n4/2023-09-ondo/blob/47d34d6d4a5303af5f46e907ac2292e6a7745f6c/contracts/usdy/rUSDY.sol#L626-L655
Vulnerability details
Impact
It is not possible to get on the allowlist to interact with rUSDY except when bridging USDY. This limits the amount of people that can interact with rUSDY drastically and hinders the wider adoption of the stable coin.
Proof of Concept
When transferring rUSDY to another account the function
_beforeTokenTransferis called which checks if both the recipient and the sender are on the allow list and not blocked or sanctioned. Currently the only way to get on the allow list for rUSDY is by bridging USDY from one chain to another. According to the team USDY on the Ethereum chain and rUSDY on any other chain are using different allow lists.This means that once accounts can only send rUSDY to users that have bridged USDY to the specific chain. This limits the number of users that can interact with rUSDY drastically and contradicts the teams goals to establish rUSDY as a competitor to USDC and USDT.
Tools Used
Manual review
Recommended Mitigation Steps
Consider using the same allow list for USDY on Ethereum and any other chain to extend the number of users that can interact with rUSDY to every customer that has already invested in USDY without requiring them to bridge their assets first.
Assessed type
Other
The text was updated successfully, but these errors were encountered: