Platform: Code4rena
Start Date: 01/09/2023
Pot Size: $36,500 USDC
Total HM: 4
Participants: 70
Period: 6 days
Judge: kirk-baird
Id: 281
League: ETH
Rank: 11/70
Findings: 2
Award: $904.14
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Udsen
Also found by: 0xDING99YA, 0xpiken, Inspecktor, SpicyMeatball, adriro, ast3ros, bin2chen, bowtiedvirus, kutugu, pep7siup, seerether
132.8375 USDC - $132.84
https://github.com/code-423n4/2023-09-ondo/blob/main/contracts/bridge/DestinationBridge.sol#L85-L114
DestinationBridge._execute() is a function that is executed when contract is called by Axelar Gateway (https://github.com/code-423n4/2023-09-ondo/blob/main/contracts/bridge/DestinationBridge.sol#L85 -L114). The function calculates bytes32 txnHash = keccak256(payload). txnHash is calculated based on payload. However, srcChain is not taken into account in payload.
(bytes32 version, address srcSender, uint256 amt, uint256 nonce) = abi .decode(payload, (bytes32, address, uint256, uint256));
Let's assume that a request with the same version, srcSender, amt, nonce has been received from different srcChain. This could very well happen. For these different requests, you get the same txnHash:
bytes32 txnHash = keccak256(payload);
This may result in the deletion of the valid txnHash. This will cancel the first txnHash and all its votes, as the current txnHash will replace the new one txnHashToTransaction[txnHash] = Transaction(srcSender, amt);
Manual review
Add srcChain to payload.
Context
#0 - c4-pre-sort
2023-09-08T01:57:28Z
raymondfam marked the issue as duplicate of #162
#1 - c4-pre-sort
2023-09-08T01:57:38Z
raymondfam marked the issue as sufficient quality report
#2 - c4-judge
2023-09-17T06:40:06Z
kirk-baird marked the issue as partial-50
#3 - c4-judge
2023-09-26T03:03:41Z
kirk-baird changed the severity to 2 (Med Risk)
771.2966 USDC - $771.30
https://github.com/code-423n4/2023-09-ondo/blob/main/contracts/usdy/rUSDY.sol#L672-L683 https://github.com/code-423n4/2023-09-ondo/blob/main/contracts/usdy/rUSDY.sol#L678 https://github.com/code-423n4/2023-09-ondo/blob/main/contracts/usdy/rUSDY.sol#L626-L655
There are functions for blocking users: setBlocklist() - https://github.com/code-423n4/2023-09-ondo/blob/main/contracts/usdy/rUSDY.sol#L698-L702 setAllowlist() - https://github.com/code-423n4/2023-09-ondo/blob/main/contracts/usdy/rUSDY.sol#L709-L713 setSanctionsList() - https://github.com/code-423n4/2023-09-ondo/blob/main/contracts/usdy/rUSDY.sol#L720-L724
Suppose the user has rUSDY tokens. Then it was added to the blocklist. His tokens will then be blocked.
There is a burn() function (https://github.com/code-423n4/2023-09-ondo/blob/main/contracts/usdy/rUSDY.sol#L672-L683) where you can burn rUSDY tokens from any account . If a user is locked out, then their position must be forced to burn() in order for them to get their USDY tokens back. However, it is not possible to call the burn() function on a blocked user.
The burn() function calls the _burnShares() function (https://github.com/code-423n4/2023-09-ondo/blob/main/contracts/usdy/rUSDY.sol#L678). The _burnShares() function contains _beforeTokenTransfer() (https://github.com/code-423n4/2023-09-ondo/blob/main/contracts/usdy/rUSDY.sol#L626-L655) which returns an error if the user is on the blocklist or not on the whitelist. So calling burn() will return an error.
Manual review
Remove _beforeTokenTransfer() call from _burnShares() function
Context
#0 - c4-pre-sort
2023-09-08T04:06:56Z
raymondfam marked the issue as duplicate of #120
#1 - c4-pre-sort
2023-09-08T04:07:01Z
raymondfam marked the issue as sufficient quality report
#2 - c4-judge
2023-09-19T09:16:31Z
kirk-baird marked the issue as satisfactory