Platform: Code4rena
Start Date: 28/09/2023
Pot Size: $36,500 USDC
Total HM: 5
Participants: 115
Period: 6 days
Judge: 0xDjango
Total Solo HM: 1
Id: 290
League: ETH
Rank: 101/115
Findings: 1
Award: $4.37
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Bauchibred
Also found by: 0x3b, 0xDetermination, 0xMosh, 0xScourgedev, 0xTheC0der, 0xTiwa, 0xWaitress, 0xdice91, 0xfusion, 0xpiken, 0xprinc, 0xweb3boy, ArmedGoose, Aymen0909, Breeje, Brenzee, Daniel526, DavidGiladi, DeFiHackLabs, Flora, Fulum, HChang26, Hama, IceBear, J4X, Krace, KrisApostolov, Maroutis, Mirror, MohammedRizwan, Norah, PwnStars, SPYBOY, TangYuanShen, Testerbot, ThreeSigma, Tricko, al88nsk, alexweb3, ast3ros, berlin-101, bin2chen, blutorque, btk, d3e4, deth, e0d1n, ether_sky, ge6a, gkrastenov, glcanvas, hals, imare, inzinko, jkoppel, jnforja, joaovwfreire, josephdara, kutugu, lotux, lsaudit, mahdirostami, merlin, n1punp, nadin, neumo, nisedo, nobody2018, oakcobalt, orion, peanuts, pep7siup, pina, ptsanev, rokinot, rvierdiiev, said, santipu_, sashik_eth, seerether, squeaky_cactus, terrancrypt, tonisives, twicek, vagrant, xAriextz, y4y
4.3669 USDC - $4.37
https://github.com/code-423n4/2023-09-venus/blob/main/contracts/Tokens/Prime/Prime.sol#L331 https://github.com/code-423n4/2023-09-venus/blob/main/contracts/Tokens/Prime/Prime.sol#L373
The issue(bool isIrrevocable, address[] calldata users) method can be called by Governance to mint Soulbound tokens to users. In the case where the user has been issued a Revocable Soulbound token, but at the current moment has staked less than MINIMUM_STAKED_XVS, their token can get burned by anyone. An attacker can call xvsUpdated(address user), before the user has a chance to increase their stake and this will lead to the user's token getting burned.
The issue(bool isIrrevocable, address[] calldata users) method does not take into account user's staked XVS and xvsUpdated(address user) can be called by anyone.
it("Issue: burn issued token", async () => { await prime.issue(false, [user1.getAddress(), user2.getAddress()]); const token = await prime.tokens(user1.getAddress()); expect(token.exists).to.be.equal(true); expect(token.isIrrevocable).to.be.equal(false); await prime.connect(user2).xvsUpdated(user1.getAddress()); const tokenAfterBurn = await prime.tokens(user1.getAddress()); expect(tokenAfterBurn.exists).to.be.equal(false); });
xvsUpdated(alice_address) and deletes her Soulbound Revocable Token.Manual Analysis
There are two possible mitigation steps and I will advise to implement both of them:
if (_xvsBalanceOfUser(user) < MINIMUM_STAKED_SVS) revert NotEnoughXVSStaked();
xvsUpdated(address user) so it can be called only by XVSVault.solif (msg.sender != xvsVault) revert NotAuthorized();
Invalid Validation
#0 - c4-pre-sort
2023-10-06T22:09:01Z
0xRobocop marked the issue as duplicate of #485
#1 - c4-judge
2023-10-31T17:56:54Z
fatherGoose1 changed the severity to QA (Quality Assurance)
#2 - c4-judge
2023-11-03T02:21:12Z
fatherGoose1 marked the issue as grade-b