Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Anyone can use burnDyad for others notes ids and block their transactions #1202

Closed
c4-bot-3 opened this issue Apr 25, 2024 · 10 comments
Closed

Anyone can use burnDyad for others notes ids and block their transactions #1202

c4-bot-3 opened this issue Apr 25, 2024 · 10 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-100 🤖_06_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality

Comments

@c4-bot-3
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2024-04-dyad/blob/4a987e536576139793a1c04690336d06c93fca90/src/core/Dyad.sol#L46

Vulnerability details

Impact

burnDyad could cause DoS for other users transactions when they attempt to burn their full amount of dyad.

Proof of Concept

burnDyad is allowing the user to burn dyad amounts for his note id and other users note ids, It seems a part of the protocol design that allow such a feature to make burn dyad availabe not only for self burn amount of mintedDyad, also for others.

After investigating the method, we can see that dyad.burn(id, msg.sender, amount) is being called from VaultManagerV2 address as the caller (msg.sender), now if we move further to burn method, we will find that _burn(from, amount) is burning Dyad ERC20 tokens from the user caller address, moving forward in the next line mintedDyad[msg.sender][id] -= amount it seems that an amount is being decreased from mintedDyad mapping for the passed note id.

The case of the issue:
Supposed Bob would like to burn a 100 Dyad (his max Dyad minted amount) to achieve a withdraw for his collateral, Bob will call burn passing 100e18 amount as 100 of Dyad tokens, Alex will front-run Bob and call burn method, passing the note id of Bob (let's say id 8) with a minimum amount of 1 WEI Dyad , Bob's transaction will fail since his amount of mintedDyad become less than 100e18 and it will revert here mintedDyad[msg.sender][id] -= amount.

Since no check for isDNftOwner modifier on burn method, anyone can pass different note ids for other users and decrease their mintedDyad amount, this attack is cheap.

Tools Used

Manual Review

Recommended Mitigation Steps

Add isDNftOwner modifier on burn method, update other parts of the code accordingly.

Assessed type

DoS
@c4-bot-3 c4-bot-3 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Apr 25, 2024
c4-bot-3 added a commit that referenced this issue Apr 25, 2024
@c4-bot-3
Evo issue #1202
73f4c3f
@c4-bot-13 c4-bot-13 added the 🤖_06_group AI based duplicate group recommendation label Apr 25, 2024
@c4-pre-sort
Copy link

JustDravee marked the issue as duplicate of #409

@c4-pre-sort
Copy link

JustDravee marked the issue as sufficient quality report

@c4-pre-sort c4-pre-sort added the sufficient quality report This report is of sufficient quality label Apr 29, 2024
@c4-judge
Copy link
Contributor

c4-judge commented May 5, 2024

koolexcrypto marked the issue as unsatisfactory:
Invalid

@c4-judge c4-judge added the unsatisfactory does not satisfy C4 submission criteria; not eligible for awards label May 5, 2024
@c4-judge
Copy link
Contributor

c4-judge commented May 9, 2024

koolexcrypto marked the issue as not a duplicate

@c4-judge
Copy link
Contributor

c4-judge commented May 9, 2024

koolexcrypto marked the issue as duplicate of #74

@c4-judge c4-judge added nullified Issue is high quality, but not accepted and removed unsatisfactory does not satisfy C4 submission criteria; not eligible for awards labels May 9, 2024
@c4-judge
Copy link
Contributor

c4-judge commented May 9, 2024

koolexcrypto marked the issue as nullified

@c4-judge
Copy link
Contributor

c4-judge commented May 9, 2024

koolexcrypto marked the issue as not nullified

@c4-judge c4-judge removed the nullified Issue is high quality, but not accepted label May 9, 2024
@c4-judge
Copy link
Contributor

koolexcrypto marked the issue as duplicate of #992

@c4-judge
Copy link
Contributor

koolexcrypto marked the issue as satisfactory

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label May 11, 2024
@c4-judge
Copy link
Contributor

koolexcrypto marked the issue as duplicate of #100

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-100 🤖_06_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@c4-judge @c4-pre-sort @c4-bot-3 @c4-bot-13