Platform: Code4rena
Start Date: 24/10/2023
Pot Size: $36,500 USDC
Total HM: 4
Participants: 147
Period: 6 days
Judge: 0xDjango
Id: 299
League: ETH
Rank: 116/147
Findings: 1
Award: $4.52
๐ Selected for report: 0
๐ Solo Findings: 0
๐ Selected for report: 0xmystery
Also found by: 0x11singh99, 0xAadi, 0xAlix2, 0xG0P1, 0xStalin, 0xWaitress, 0x_Scar, 0xhacksmithh, 0xhunter, 0xpiken, Al-Qa-qa, Arz, Avci, Bauchibred, BeliSesir, Breeje, Bughunter101, DarkTower, Eeyore, Fitro, HChang26, Imlazy0ne, J4X, JCK, Kaysoft, Kral01, Madalad, Mike_Bello90, Noro, PASCAL, PENGUN, Proxy, Rickard, Shubham, SovaSlava, Strausses, Team_Rocket, ThreeSigma, Topmark, Udsen, Walter, Yanchuan, Zach_166, ZanyBonzy, adam-idarrha, adeolu, almurhasan, arjun16, ast3ros, asui, ayden, btk, cartlex_, castle_chain, cccz, chainsnake, codynhat, critical-or-high, cryptonue, csanuragjain, deepkin, degensec, dirk_y, erebus, foxb868, ge6a, hunter_w3b, jasonxiale, kkkmmmsk, lanrebayode77, lsaudit, marchev, matrix_0wl, max10afternoon, nuthan2x, oakcobalt, oxchsyston, pavankv, peanuts, pep7siup, pipidu83, pontifex, ptsanev, qpzm, radev_sw, rokinot, rotcivegaf, rvierdiiev, sorrynotsorry, squeaky_cactus, supersizer0x, tnquanghuy0512, twcctop, twicek, young, zhaojie, ziyou-
4.5226 USDC - $4.52
https://github.com/code-423n4/2023-10-ethena/blob/main/contracts/StakedUSDe.sol#L21
According to EIP-4626 :
maxDeposit :
MUST factor in both global and user-specific limits, like if deposits are entirely disabled (even temporarily) it MUST return 0.
maxMint:
MUST factor in both global and user-specific limits, like if mints are entirely disabled (even temporarily) it MUST return 0.
maxWithdraw :
MUST factor in both global and user-specific limits, like if withdrawals are entirely disabled (even temporarily) it MUST return 0.
and maxRedeem :
MUST factor in both global and user-specific limits, like if redemption is entirely disabled (even temporarily) it MUST return 0.
However, in the implementation maxDeposit and maxMint does not return 0 when depositor or minter is SOFT_RESTRICTED_STAKER_ROLE, and maxWithdraw and maxRedeem also doesnโt return 0 when owner of tokens to be withdrawn or redeemed is FULL_RESTRICTED_STAKER_ROLE .
this breaks external composability with other projects .
Manual review
maxDeposit and maxMint functions and check if depositor or minter is SOFT_RESTRICTED_STAKER_ROLE and return 0 if so .maxWithdraw and maxRedeem functions and check if the owner is FULL_RESTRICTED_STAKER_ROLE and return 0 if so .ERC4626
#0 - c4-pre-sort
2023-10-31T19:04:04Z
raymondfam marked the issue as low quality report
#1 - c4-pre-sort
2023-10-31T19:04:17Z
raymondfam marked the issue as duplicate of #222
#2 - c4-judge
2023-11-14T15:53:41Z
fatherGoose1 changed the severity to QA (Quality Assurance)
#3 - c4-judge
2023-11-14T17:00:27Z
fatherGoose1 marked the issue as grade-b