Platform: Code4rena
Start Date: 24/10/2023
Pot Size: $36,500 USDC
Total HM: 4
Participants: 147
Period: 6 days
Judge: 0xDjango
Id: 299
League: ETH
Rank: 40/147
Findings: 1
Award: $161.80
🌟 Selected for report: 0
🚀 Solo Findings: 0
161.7958 USDC - $161.80
As the docs state out, the soft restricted role should not be able to deposit and withdraw in the staker contracts, as this would be an illegal action. But a missing check inside StakedUSDe allows soft restricted users to withdraw.
Here is a quote of the docs about the SOFT_RESTRICTED_STAKER_ROLE:
“Due to legal requirements, there's a SOFT_RESTRICTED_STAKER_ROLE and FULL_RESTRICTED_STAKER_ROLE. The former is for addresses based in countries we are not allowed to provide yield to, for example USA. Addresses under this category will be soft restricted. They cannot deposit USDe to get stUSDe or withdraw stUSDe for USDe.”
Therefore, it should not be allowed that users who are soft restricted are able to withdraw, but as we can see in the withdraw function only full restricted users are prevented from withdrawing:
function _withdraw(address caller, address receiver, address _owner, uint256 assets, uint256 shares) internal override nonReentrant notZero(assets) notZero(shares) { if (hasRole(FULL_RESTRICTED_STAKER_ROLE, caller) || hasRole(FULL_RESTRICTED_STAKER_ROLE, receiver)) { revert OperationNotAllowed(); } super._withdraw(caller, receiver, _owner, assets, shares); _checkMinShares(); }
Soft restricted users are able to withdraw, which is an illegal action, as the docs state out.
Manual Review
Implement a check so that soft restricted users are not able to withdraw.
Access Control
#0 - c4-pre-sort
2023-10-31T06:29:46Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2023-10-31T06:30:04Z
raymondfam marked the issue as duplicate of #52
#2 - c4-judge
2023-11-10T21:40:36Z
fatherGoose1 marked the issue as satisfactory