Platform: Code4rena
Start Date: 24/10/2023
Pot Size: $36,500 USDC
Total HM: 4
Participants: 147
Period: 6 days
Judge: 0xDjango
Id: 299
League: ETH
Rank: 24/147
Findings: 2
Award: $280.94
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: josephdara
Also found by: 0xAadi, 0xmystery, 0xpiken, Arz, Beosin, Eeyore, HChang26, J4X, KIntern_NA, Limbooo, RamenPeople, SpicyMeatball, Team_Rocket, Yanchuan, castle_chain, degensec, ge6a, lanrebayode77, mert_eren, sorrynotsorry, tnquanghuy0512
119.1406 USDC - $119.14
https://github.com/code-423n4/2023-10-ethena/blob/main/contracts/StakedUSDe.sol#L232
StakedUSDe
The overridden _withdraw function checks whether the caller or receiver of the withdrawal is blacklisted (has FULL_RESTRICTED_STAKER_ROLE) and if yes, the withdrawal is reverted.
However, it forgets to check whether the owner is blacklisted. This allows the blacklisted owner to approve another caller address (non-blacklisted) and the approved address can withdraw assets from the blacklisted address.
The protection in _beforeTokenTransfer does not work, because it allows transfers to zero address.
See the following scenario:
Manual review
Add the owner to the blacklist and check on withdrawal whether the owner of the tokens is blacklisted.
Access Control
#0 - c4-pre-sort
2023-10-31T15:10:07Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2023-10-31T15:10:15Z
raymondfam marked the issue as duplicate of #7
#2 - c4-pre-sort
2023-10-31T15:10:31Z
raymondfam marked the issue as low quality report
#3 - c4-pre-sort
2023-11-01T19:45:09Z
raymondfam marked the issue as duplicate of #666
#4 - c4-judge
2023-11-13T19:33:38Z
fatherGoose1 marked the issue as satisfactory
#5 - c4-judge
2023-11-14T15:20:53Z
fatherGoose1 changed the severity to 2 (Med Risk)
161.7958 USDC - $161.80
https://github.com/code-423n4/2023-10-ethena/blob/main/contracts/StakedUSDe.sol#L225 https://github.com/code-423n4/2023-10-ethena/blob/main/test/foundry/staking/StakedUSDe.blacklist.t.sol#L133
The documentation says that users with SOFT_RESTRICTED_STAKER_ROLE role cannot withdraw staked tokens: "They cannot deposit USDe to get stUSDe or withdraw stUSDe for USDe. However they can participate in earning yield by buying and selling stUSDe on the open market."
However, the code and tests suggest that this functionality is allowed for those users.
Here is the statement in documentation:
https://github.com/code-423n4/2023-10-ethena/blob/main/README.md#stakedusdev2sol
Here is the code that allows addresses with SOFT_RESTRICTED_STAKER_ROLE role withdrawing stake:
https://github.com/code-423n4/2023-10-ethena/blob/main/contracts/StakedUSDe.sol#L225
Here is the test that checks that the withdrawal passes for addresses with SOFT_RESTRICTED_STAKER_ROLE role:
https://github.com/code-423n4/2023-10-ethena/blob/main/test/foundry/staking/StakedUSDe.blacklist.t.sol#L133
Manual review
Either block withdrawing by SOFT_RESTRICTED_STAKER_ROLE addresses or update the documentation.
Access Control
#0 - c4-pre-sort
2023-10-31T15:14:51Z
raymondfam marked the issue as low quality report
#1 - c4-pre-sort
2023-10-31T15:15:16Z
raymondfam marked the issue as duplicate of #52
#2 - c4-judge
2023-11-10T21:40:50Z
fatherGoose1 marked the issue as satisfactory