The admin wont be able to burn rOUSG from sanctioned addresses because of a check in _beforeTokenTransfer #147

c4-bot-6 · 2024-04-02T21:21:47Z

Lines of code

https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/rOUSG.sol#L632

Vulnerability details

The rOUSG.sol contracts has a burner role which is able to burn rOUSG from any address. The burn() function will be used to seize rOUSG/OUSG when the address is not legally allowed to own it. The problem is that the user will likely be sanctioned before the rOUSG is seized to freeze the funds but because the _burnShares() function calls _beforeTokenTransfer(), the tx will revert because of the check of the from address in _beforeTokenTransfer() which will be the sanctioned address causing the check to revert.

if (from != address(0)) {
   // If not minting
   require(_getKYCStatus(from), "rOUSG: 'from' address not KYC'd");
}

Although this finding was submitted in the previous contest a big difference here is that the KYCRegistry uses a Chainalysis sanction oracle for the checks in _beforeTokenTransfer(). In the previous contest this could have been bypassed by the admin batch executing transactions but because we are now using the Chainalysis oracle we will not be able to simply remove the sanctioned address from the oracle, burn the tokens and add it again.

Impact

The admin wont be able to seize tokens from the sanctioned address because burning will always fail. The sanctioned address will be left with the tokens stuck in the wallet.

Proof of Concept

Add this to rOUSG.t.sol, as you can see burning from a sanctioned address will fail.

function testBurningROUSG() public dealAliceROUSG(1e18) {
    assertEq(rOUSGToken.balanceOf(alice), 100e18);

    vm.startPrank(OUSG_GUARDIAN);
    rOUSGToken.grantRole(rOUSGToken.BURNER_ROLE(), OUSG_GUARDIAN);

    //ALice gets added to the Chainalysis sanctions oracle
    _restrictOUSGUser(alice);

    vm.expectRevert("rOUSG: 'from' address not KYC'd");
    rOUSGToken.burn(alice,100e18);
    vm.stopPrank();
  }

Tools Used

Foundry

Recommended Mitigation Steps

Burn the tokens without the _beforeTokenTransfer() check

Assessed type

Token-Transfer

The text was updated successfully, but these errors were encountered:

c4-pre-sort · 2024-04-04T05:11:28Z

0xRobocop marked the issue as duplicate of #237

c4-judge · 2024-04-09T08:32:44Z

3docSec marked the issue as satisfactory

c4-bot-6 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Apr 2, 2024

c4-bot-6 added a commit that referenced this issue Apr 2, 2024

Arz issue #147

984e70d

c4-bot-12 added the 🤖_26_group AI based duplicate group recommendation label Apr 3, 2024

c4-pre-sort closed this as completed Apr 4, 2024

c4-pre-sort added the duplicate-237 label Apr 4, 2024

c4-judge added satisfactory satisfies C4 submission criteria; eligible for awards duplicate-32 and removed duplicate-237 labels Apr 9, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

The admin wont be able to burn rOUSG from sanctioned addresses because of a check in _beforeTokenTransfer #147

The admin wont be able to burn rOUSG from sanctioned addresses because of a check in _beforeTokenTransfer #147

c4-bot-6 commented Apr 2, 2024

c4-pre-sort commented Apr 4, 2024

c4-judge commented Apr 9, 2024

The admin wont be able to burn rOUSG from sanctioned addresses because of a check in _beforeTokenTransfer #147

The admin wont be able to burn rOUSG from sanctioned addresses because of a check in _beforeTokenTransfer #147

Comments

c4-bot-6 commented Apr 2, 2024

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type

c4-pre-sort commented Apr 4, 2024

c4-judge commented Apr 9, 2024