Back to Brenzee's contests

Spectra - Brenzee's results

A permissionless interest rate derivatives protocol on Ethereum.

General Information

Platform: Code4rena

Start Date: 23/02/2024

Pot Size: $36,500 USDC

Total HM: 2

Participants: 39

Period: 7 days

Judge: Dravee

Id: 338

League: ETH

Spectra

Findings Distribution

Researcher Performance

Rank: 28/39

Findings: 1

Award: $53.72

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositorySpectra

Findings Information

🌟 Selected for report: jnforja

Also found by: 0xDemon, 0xLogos, 0xhacksmithh, 14si2o_Flint, Aymen0909, Brenzee, Franklin, Giorgio, JohnSmith, Limbooo, Shubham, ZanyBonzy, btk, dimulski, erosjohn, lsaudit, memforvik, mrudenko, nmirchev8, sl1, smaul, wangxx2026

Awards

53.7155 USDC - $53.72

Labels

bug
2 (Med Risk)
partial-50
sufficient quality report
:robot:_33_group
duplicate-210

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-02-spectra/blob/b35bbf78ad9d0e74e9c8450a0c5c6d35b68f7228/src/tokens/PrincipalToken.sol#L460-L462 https://github.com/code-423n4/2024-02-spectra/blob/b35bbf78ad9d0e74e9c8450a0c5c6d35b68f7228/src/tokens/PrincipalToken.sol#L483-L485

Vulnerability details

Impact

PrincipalToken.sol does not comply with ERC5095 standard. This may DoS or return unexpected values for users that interact with the contract where users expect the contract to follow ERC5095 rules.

Proof of Concept

Two functions that do not comply with ERC5095 rules:

maxWithdraw(address) function
function maxWithdraw(address owner) public view override whenNotPaused returns (uint256) {
  return convertToUnderlying(_maxBurnable(owner));
}

According to ERC5095

maxWithdraw MUST factor in both global and user-specific limits, like if withdrawals are entirely disabled (even temporarily) it MUST return 0.

maxWithdraw function in PrincipalToken contract reverts when paused, but it has to return 0.

maxRedeem(address) function
function maxRedeem(address owner) public view override returns (uint256) {
  return _maxBurnable(owner);
}

According to ERC5095

maxRedeem MUST factor in both global and user-specific limits, like if redemption is entirely disabled (even temporarily) it MUST return 0.

maxRedeem function in PrincipalToken contract does not check if the contract is paused, but the function has to return 0 if the PrincipalToken is paused

Tools Used

Manual Review

Make sure maxRedeem and maxWithdraw comply with ERC5095 rules.

Below are my suggestions to the maxWithdraw and maxRedeem functions maxWithdraw:

    function maxWithdraw(address owner) public view override returns (uint256) {
        return paused() ? 0 : convertToUnderlying(_maxBurnable(owner));
    }

maxRedeem:

    function maxRedeem(address owner) public view override returns (uint256) {
        return paused() ? 0 : _maxBurnable(owner);
    }

Assessed type

Other

#0 - c4-pre-sort

2024-03-03T09:20:22Z

gzeon-c4 marked the issue as duplicate of #33

#1 - c4-pre-sort

2024-03-03T09:20:25Z

gzeon-c4 marked the issue as sufficient quality report

#2 - c4-judge

2024-03-11T00:33:22Z

JustDravee marked the issue as partial-50

#3 - c4-judge

2024-03-11T00:33:26Z

JustDravee marked the issue as satisfactory

#4 - c4-judge

2024-03-14T06:18:42Z

JustDravee marked the issue as partial-50

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter