Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Admin can't burn rOUSG tokens if account is remove from KYC list or sanctioned. #206

Closed
c4-bot-5 opened this issue Apr 3, 2024 · 2 comments
Closed

Admin can't burn rOUSG tokens if account is remove from KYC list or sanctioned. #206

c4-bot-5 opened this issue Apr 3, 2024 · 2 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-32 🤖_26_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards

Comments

@c4-bot-5
Copy link
Contributor

c4-bot-5 commented Apr 3, 2024

Lines of code

https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/rOUSG.sol#L624

Vulnerability details

Description:
The nat spec of burn functions says that admin can burn rOUSG tokens from any account. But it is not true, cause the admin can't burn rOUSG token of user which is remove from KYC list or sanctioned.

Proof of Concept:

  1. burn function: It is calling _burnShares function to burn the shares of particular address.
function burn(
    address _account,
    uint256 _amount
  ) external onlyRole(BURNER_ROLE) {
    uint256 ousgSharesAmount = getSharesByROUSG(_amount); 
    if (ousgSharesAmount < OUSG_TO_ROUSG_SHARES_MULTIPLIER)
      revert UnwrapTooSmall();

@>   _burnShares(_account, ousgSharesAmount); 
    ousg.transfer(
      msg.sender,
      ousgSharesAmount / OUSG_TO_ROUSG_SHARES_MULTIPLIER
    );
    emit Transfer(address(0), msg.sender, getROUSGByShares(ousgSharesAmount));
    emit TransferShares(_account, address(0), ousgSharesAmount);
  }
  1. _burnShares function: Than it is calling _beforeTokenTransfer function to get the KYC and sanctioned status of _account.
  function _burnShares(
    address _account,
    uint256 _sharesAmount
  ) internal whenNotPaused returns (uint256) {
    require(_account != address(0), "BURN_FROM_THE_ZERO_ADDRESS");

@>   _beforeTokenTransfer(_account, address(0), _sharesAmount); //checking KYC for account

    uint256 accountShares = shares[_account];
    require(_sharesAmount <= accountShares, "BURN_AMOUNT_EXCEEDS_BALANCE");

    totalShares -= _sharesAmount; //decreasing totalShares with shares amount

    shares[_account] = accountShares - _sharesAmount;

    return totalShares; //return total shares
  }
  1. _beforeTokenTransfer function: And if now the _account is sanctioned or not in KYC list than the admin can't burn the rOUSG token of _account.
function _beforeTokenTransfer(
    address from,
    address to,
    uint256
  ) internal view {
    if (from != msg.sender && to != msg.sender) { 
      require(_getKYCStatus(msg.sender), "rOUSG: 'sender' address not KYC'd"); 
    }

@>  if (from != address(0)) {
      // If not minting
      require(_getKYCStatus(from), "rOUSG: 'from' address not KYC'd"); 
    }

    if (to != address(0)) {
      // If not burning
      require(_getKYCStatus(to), "rOUSG: 'to' address not KYC'd"); 
    }
  }

Impact:
Admin can't burn rOUSG tokens from any account as nat spec of burn function states.

Recommended Mitigation:
The recommended mitigation is to burn the rOUSG token directly in burn function rather in _burnShares function.

Assessed type

Context
@c4-bot-5 c4-bot-5 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Apr 3, 2024
c4-bot-3 added a commit that referenced this issue Apr 3, 2024
@c4-bot-3
kartik_giri_47538 issue #206
e480400
@c4-bot-12 c4-bot-12 added the 🤖_26_group AI based duplicate group recommendation label Apr 3, 2024
@c4-pre-sort
Copy link

0xRobocop marked the issue as duplicate of #237

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Apr 9, 2024
@c4-judge
Copy link
Contributor

c4-judge commented Apr 9, 2024

3docSec marked the issue as satisfactory

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-32 🤖_26_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@c4-judge @c4-pre-sort @c4-bot-5 @c4-bot-12