Spectra - Franklin's results

A permissionless interest rate derivatives protocol on Ethereum.

General Information

Platform: Code4rena

Start Date: 23/02/2024

Pot Size: $36,500 USDC

Total HM: 2

Participants: 39

Period: 7 days

Judge: Dravee

Id: 338

League: ETH

Spectra

Findings Distribution

Researcher Performance

Rank: 34/39

Findings: 1

Award: $26.86

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Spectra

Findings Information

🌟 Selected for report: jnforja

Also found by: 0xDemon, 0xLogos, 0xhacksmithh, 14si2o_Flint, Aymen0909, Brenzee, Franklin, Giorgio, JohnSmith, Limbooo, Shubham, ZanyBonzy, btk, dimulski, erosjohn, lsaudit, memforvik, mrudenko, nmirchev8, sl1, smaul, wangxx2026

Awards

26.8578 USDC - $26.86

Labels

bug

2 (Med Risk)

partial-25

sufficient quality report

:robot:_33_group

duplicate-210

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-02-spectra/blob/383202d0b84985122fe1ba53cfbbb68f18ba3986/src/tokens/PrincipalToken.sol#L483

Vulnerability details

Impact

From the docs, it says that Principal token is an EIP-5095 compliant

This is the core contract of Spectra. The Principal Token is EIP-5095 and EIP-2612 compliant.

But it doesnt follow the standards correctly. As per EIP-5095, the maxRedeem MUST factor in both global and user-specific limits, like if redemption is entirely disabled (even temporarily) it MUST return 0. This is not the case currently, as even if the contract is paused, the maxRedeem method will still return the maxBurnable for the caller.

Tools Used

Recommended Mitigation Steps

Go through the standard and follow it for all methods that override methods from ERC5095 implementation.

Assessed type

Other

#0 - c4-pre-sort
2024-03-03T09:22:26Z

gzeon-c4 marked the issue as duplicate of #33

#1 - c4-pre-sort
2024-03-03T09:22:28Z

gzeon-c4 marked the issue as sufficient quality report

#2 - c4-judge
2024-03-11T00:29:19Z

JustDravee marked the issue as partial-25

#3 - c4-judge
2024-03-11T00:29:22Z

JustDravee marked the issue as satisfactory

#4 - c4-judge
2024-03-14T06:24:33Z

JustDravee marked the issue as partial-25

Spectra - Franklin's results

A permissionless interest rate derivatives protocol on Ethereum.

General Information

Findings Distribution

Researcher Performance

External Links

[M-01] The EIP-5095 standard is not followed correctly. - $26.86

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - c4-pre-sort2024-03-03T09:22:26Z

#1 - c4-pre-sort2024-03-03T09:22:28Z

#2 - c4-judge2024-03-11T00:29:19Z

#3 - c4-judge2024-03-11T00:29:22Z

#4 - c4-judge2024-03-14T06:24:33Z

#0 - c4-pre-sort
2024-03-03T09:22:26Z

#1 - c4-pre-sort
2024-03-03T09:22:28Z

#2 - c4-judge
2024-03-11T00:29:19Z

#3 - c4-judge
2024-03-11T00:29:22Z

#4 - c4-judge
2024-03-14T06:24:33Z