Ethena Labs - 0xG0P1's results

Enabling The Internet Bond

General Information

Platform: Code4rena

Start Date: 24/10/2023

Pot Size: $36,500 USDC

Total HM: 4

Participants: 147

Period: 6 days

Judge: 0xDjango

Id: 299

League: ETH

Ethena Labs

Findings Distribution

Researcher Performance

Rank: 147/147

Findings: 1

Award: $4.52

QA:

grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Ethena Labs

Findings Information

🌟 Selected for report: 0xmystery

Also found by: 0x11singh99, 0xAadi, 0xAlix2, 0xG0P1, 0xStalin, 0xWaitress, 0x_Scar, 0xhacksmithh, 0xhunter, 0xpiken, Al-Qa-qa, Arz, Avci, Bauchibred, BeliSesir, Breeje, Bughunter101, DarkTower, Eeyore, Fitro, HChang26, Imlazy0ne, J4X, JCK, Kaysoft, Kral01, Madalad, Mike_Bello90, Noro, PASCAL, PENGUN, Proxy, Rickard, Shubham, SovaSlava, Strausses, Team_Rocket, ThreeSigma, Topmark, Udsen, Walter, Yanchuan, Zach_166, ZanyBonzy, adam-idarrha, adeolu, almurhasan, arjun16, ast3ros, asui, ayden, btk, cartlex_, castle_chain, cccz, chainsnake, codynhat, critical-or-high, cryptonue, csanuragjain, deepkin, degensec, dirk_y, erebus, foxb868, ge6a, hunter_w3b, jasonxiale, kkkmmmsk, lanrebayode77, lsaudit, marchev, matrix_0wl, max10afternoon, nuthan2x, oakcobalt, oxchsyston, pavankv, peanuts, pep7siup, pipidu83, pontifex, ptsanev, qpzm, radev_sw, rokinot, rotcivegaf, rvierdiiev, sorrynotsorry, squeaky_cactus, supersizer0x, tnquanghuy0512, twcctop, twicek, young, zhaojie, ziyou-

Awards

4.5226 USDC - $4.52

Labels

bug

downgraded by judge

grade-b

low quality report

QA (Quality Assurance)

duplicate-136

Q-29

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-10-ethena/blob/ee67d9b542642c9757a6b826c82d0cae60256509/contracts/StakedUSDe.sol#L119-L128 https://github.com/code-423n4/2023-10-ethena/blob/ee67d9b542642c9757a6b826c82d0cae60256509/contracts/StakedUSDe.sol#L106-L113

Vulnerability details

Impact

Admin cant remove or add someone to blacklist

Proof of Concept

This comment @notice Allows the owner (DEFAULT_ADMIN_ROLE) and blacklist managers to blacklist addresses. says that Admin should able to add or remove from blacklist but only blacklist manager can only can do it

Tools Used

Manual review

Recommended Mitigation Steps

Allow Admin to remove/add to/from blacklist

Assessed type

Access Control

#0 - c4-pre-sort
2023-11-01T01:17:07Z

raymondfam marked the issue as low quality report

#1 - c4-pre-sort
2023-11-01T01:17:56Z

raymondfam marked the issue as duplicate of #136

#2 - c4-judge
2023-11-13T20:42:35Z

fatherGoose1 changed the severity to QA (Quality Assurance)

Ethena Labs - 0xG0P1's results

Enabling The Internet Bond

General Information

Findings Distribution

Researcher Performance

External Links

[Q-29] QA Report - $4.52

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - c4-pre-sort2023-11-01T01:17:07Z

#1 - c4-pre-sort2023-11-01T01:17:56Z

#2 - c4-judge2023-11-13T20:42:35Z

#0 - c4-pre-sort
2023-11-01T01:17:07Z

#1 - c4-pre-sort
2023-11-01T01:17:56Z

#2 - c4-judge
2023-11-13T20:42:35Z