Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rUSDY::burn function: USDY tokens are refunded to the wrong address #85

Closed
code423n4 opened this issue Sep 4, 2023 · 13 comments
Closed

rUSDY::burn function: USDY tokens are refunded to the wrong address #85

code423n4 opened this issue Sep 4, 2023 · 13 comments
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) downgraded by judge Judge downgraded the risk level of this issue grade-b high quality report This report is of especially high quality primary issue Highest quality submission among a set of duplicates QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-09-ondo/blob/47d34d6d4a5303af5f46e907ac2292e6a7745f6c/contracts/usdy/rUSDY.sol#L672-L683

Vulnerability details

Impact

  • In rUSDY contract: the burner role can burn rUSDY tokens (shares) from any user for any reason.

  • The user is supposed to lose his rUSDY tokens while refunded the equivalent amount of USDY tokens.

  • But burn function refunds the burner (msg.sender) with the USDY tokens instead of the intended user.

Proof of Concept

burn function

File: 2023-09-ondo/contracts/usdy/rUSDY.sol
Line 672-683:
function burn(
  address _account,
  uint256 _amount
) external onlyRole(BURNER_ROLE) {
  uint256 sharesAmount = getSharesByRUSDY(_amount);

  _burnShares(_account, sharesAmount);

  usdy.transfer(msg.sender, sharesAmount / BPS_DENOMINATOR);

  emit TokensBurnt(_account, _amount);
}

Tools Used

Manual Testing.

Recommended Mitigation Steps

In rUSDY::burn function: USDY amount to be refunded to the account thats has it's rUSDY tokens burnt:

 function burn(
    address _account,
    uint256 _amount
  ) external onlyRole(BURNER_ROLE) {
    uint256 sharesAmount = getSharesByRUSDY(_amount);

    _burnShares(_account, sharesAmount);

-   usdy.transfer(msg.sender, sharesAmount / BPS_DENOMINATOR);
+   usdy.transfer(_account, sharesAmount / BPS_DENOMINATOR);

    emit TokensBurnt(_account, _amount);
  }

Assessed type

Context
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Sep 4, 2023
code423n4 added a commit that referenced this issue Sep 4, 2023
@code423n4
hals issue #85
e1de69e
@raymondfam
Copy link

A valid point. But will leave it to the sponsor whether or not this is intended.

@c4-pre-sort c4-pre-sort added the primary issue Highest quality submission among a set of duplicates label Sep 7, 2023
@c4-pre-sort
Copy link

raymondfam marked the issue as primary issue

@c4-pre-sort c4-pre-sort added the sufficient quality report This report is of sufficient quality label Sep 7, 2023
@c4-pre-sort
Copy link

raymondfam marked the issue as sufficient quality report

This was referenced Sep 7, 2023
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@c4-pre-sort
Copy link

raymondfam marked the issue as high quality report

@c4-pre-sort c4-pre-sort added high quality report This report is of especially high quality and removed sufficient quality report This report is of sufficient quality labels Sep 10, 2023
@c4-sponsor
Copy link

ypatil12 (sponsor) disputed

@c4-sponsor c4-sponsor added sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) labels Sep 11, 2023
@c4-sponsor
Copy link

ypatil12 marked the issue as disagree with severity

@ypatil12
Copy link

This is by design as a permissioned token. If a user who mints rUSDY becomes sanctioned, we would have to burn the user's rUSDY and seize there USDY. The user with the BURNER_ROLE is a trusted party.

@kirk-baird
Copy link

Given this is a clear design choice and is behaving as intended I'm going to reduce this issue to QA since it does provide the admin with a method of draining USDY from the protocol.

@c4-judge c4-judge removed the 3 (High Risk) Assets can be stolen/lost/compromised directly label Sep 19, 2023
@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels Sep 19, 2023
@c4-judge
Copy link
Contributor

kirk-baird changed the severity to QA (Quality Assurance)

@c4-judge
Copy link
Contributor

kirk-baird marked the issue as grade-c

@c4-judge c4-judge added the unsatisfactory does not satisfy C4 submission criteria; not eligible for awards label Sep 24, 2023
@c4-judge c4-judge reopened this Sep 26, 2023
@c4-judge c4-judge added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value and removed downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels Sep 26, 2023
@c4-judge
Copy link
Contributor

This previously downgraded issue has been upgraded by kirk-baird

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Sep 26, 2023
@c4-judge
Copy link
Contributor

kirk-baird changed the severity to QA (Quality Assurance)

@c4-judge c4-judge added grade-b and removed grade-c unsatisfactory does not satisfy C4 submission criteria; not eligible for awards labels Sep 27, 2023
@c4-judge
Copy link
Contributor

kirk-baird marked the issue as grade-b

@C4-Staff C4-Staff closed this as completed Oct 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) downgraded by judge Judge downgraded the risk level of this issue grade-b high quality report This report is of especially high quality primary issue Highest quality submission among a set of duplicates QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@kirk-baird @ypatil12 @code423n4 @raymondfam @c4-judge @c4-sponsor @c4-pre-sort @C4-Staff