Back to Limbooo's contests

Spectra - Limbooo's results

A permissionless interest rate derivatives protocol on Ethereum.

General Information

Platform: Code4rena

Start Date: 23/02/2024

Pot Size: $36,500 USDC

Total HM: 2

Participants: 39

Period: 7 days

Judge: Dravee

Id: 338

League: ETH

Spectra

Findings Distribution

Researcher Performance

Rank: 24/39

Findings: 1

Award: $80.57

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositorySpectra

Findings Information

🌟 Selected for report: jnforja

Also found by: 0xDemon, 0xLogos, 0xhacksmithh, 14si2o_Flint, Aymen0909, Brenzee, Franklin, Giorgio, JohnSmith, Limbooo, Shubham, ZanyBonzy, btk, dimulski, erosjohn, lsaudit, memforvik, mrudenko, nmirchev8, sl1, smaul, wangxx2026

Awards

80.5733 USDC - $80.57

Labels

bug
2 (Med Risk)
partial-75
sufficient quality report
:robot:_33_group
duplicate-210

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-02-spectra/blob/383202d0b84985122fe1ba53cfbbb68f18ba3986/src/tokens/PrincipalToken.sol#L460 https://github.com/code-423n4/2024-02-spectra/blob/383202d0b84985122fe1ba53cfbbb68f18ba3986/src/tokens/PrincipalToken.sol#L807 https://github.com/code-423n4/2024-02-spectra/blob/383202d0b84985122fe1ba53cfbbb68f18ba3986/src/tokens/PrincipalToken.sol#L829

Vulnerability details

Rationally, EIP-5095 heavily relies on the framework established by EIP-4626. This is because Principal Tokens can be technically considered as a subset of Yield Bearing Vaults. However, the non-compliant functions appear in both EIPs official requirements.

Impact

Other protocols that integrate with Spectra may wrongly assume that the functions are EIP-5095 compliant. Thus, it might cause integration problems in the future that can lead to wide range of issues for both parties.

Proof of Concept

Here is all official EIP-5095 requirements. Non-compliant functions are listed below, along with the reasons for their non-compliance:

  • MUST NOT revert, MUST factor in both global and user-specific limits, like if redemption is entirely disabled (even temporarily) it MUST return 0

    • maxWithdraw, reverts if the contract is paused by whenNotPaused modifier.

  • Missing support for approved operator, MUST support a withdraw/redeem flow where the principal tokens are burned from holder directly where holder is msg.sender or msg.sender  has EIP-20 approval over the principal tokens of holder.

    • withdraw, reverts with UnauthorizedCaller when calling _beforeWithdraw if the owner is not the msg.sender.

    • redeem, reverts with UnauthorizedCaller when calling _beforeRedeem if the owner is not the msg.sender.

Tools Used

  • Manual Review

  • maxWithdraw should not reverts and return 0 if the contract is paused.

  • _beforeWithdraw and _beforeRedeem should check for EIP-20 approval before reverting with UnauthorizedCaller. The internal function ERC20Upgradeable.sol#_spendAllowance() can be used to check and updates owner's allowance for the spender (msg.sender). This fix would also allow other functions like withdrawIBT or redeemForIBT to support approved operator.

Assessed type

Other

#0 - c4-pre-sort

2024-03-03T09:20:47Z

gzeon-c4 marked the issue as duplicate of #33

#1 - c4-pre-sort

2024-03-03T09:20:51Z

gzeon-c4 marked the issue as sufficient quality report

#2 - c4-judge

2024-03-11T00:29:37Z

JustDravee marked the issue as partial-75

#3 - c4-judge

2024-03-11T00:29:40Z

JustDravee marked the issue as satisfactory

#4 - c4-judge

2024-03-14T06:24:41Z

JustDravee marked the issue as partial-75

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter