Platform: Code4rena
Start Date: 11/12/2023
Pot Size: $90,500 USDC
Total HM: 29
Participants: 127
Period: 17 days
Judge: TrungOre
Total Solo HM: 4
Id: 310
League: ETH
Rank: 16/127
Findings: 1
Award: $1,107.90
🌟 Selected for report: 0
🚀 Solo Findings: 0
1107.8966 USDC - $1,107.90
The getRewards() function here https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/loan/SurplusGuildMinter.sol#L259 allows users to claim reward, but a call has been made to the mint function at https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/rate-limits/RateLimitedMinter.sol#L49 which has whenNotPaused modifier . This will denied user from getting rewards. This opens up an attack vector, where the protocol owner can decide if the users are able to withdraw/claim any funds from it.
This is a common centralization problem which means the contract owner can "rug" users.
manual code review
user funds can be left stuck in the contract
funds can stay forever if a Governor or Guardian renounce ownership or compromised (The multiSig) will leave the funds there forever
Remove the whenNotPaused modifier from mint function or implement a way where user can claim reward without minting them(pre-mint), so users can claim vested tokens even if admin pauses the contract.
Access Control
#0 - 0xSorryNotSorry
2024-01-03T18:57:55Z
inflated, since the Governor role is trusted
#1 - c4-pre-sort
2024-01-03T18:58:00Z
0xSorryNotSorry marked the issue as insufficient quality report
#2 - c4-judge
2024-01-21T19:36:38Z
Trumpero marked the issue as unsatisfactory: Invalid
#3 - Trumpero
2024-01-31T13:15:53Z
After reviewing again, I believe this is a dup of #1249.
#4 - c4-judge
2024-01-31T13:16:17Z
Trumpero marked the issue as duplicate of #1249
#5 - Trumpero
2024-01-31T13:17:54Z
Give this issue 75% partial credit due to its lack of quality
#6 - c4-judge
2024-01-31T13:17:58Z
Trumpero marked the issue as partial-75