Back to Tigerfrake's contests

Spectra - Tigerfrake's results

A permissionless interest rate derivatives protocol on Ethereum.

General Information

Platform: Code4rena

Start Date: 23/02/2024

Pot Size: $36,500 USDC

Total HM: 2

Participants: 39

Period: 7 days

Judge: Dravee

Id: 338

League: ETH

Spectra

Findings Distribution

Researcher Performance

Rank: 39/39

Findings: 1

Award: $19.59

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositorySpectra

Findings Information

🌟 Selected for report: SBSecurity

Also found by: 0xDemon, 0xLuckyLuke, 14si2o_Flint, ArmedGoose, DarkTower, Shubham, Tigerfrake, cheatc0d3, peanuts, sl1

Labels

bug
downgraded by judge
grade-b
QA (Quality Assurance)
sufficient quality report
:robot:_23_group
duplicate-253
Q-11

Awards

19.5868 USDC - $19.59

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-02-spectra/blob/383202d0b84985122fe1ba53cfbbb68f18ba3986/src/tokens/PrincipalToken.sol#L335

Vulnerability details

Impact

The redeem() function in the context of an ERC4626 token, as mentioned in the OpenZeppelin documentation, is designed to allow token holders to redeem their shares for underlying assets. According to the specification, the redeem() function:

MUST revert if all of shares cannot be redeemed (due to withdrawal limit being reached, slippage, the owner not having enough shares, etc).

However, in the claimFees() function, the line assets = IERC4626(ibt).redeem(ibts, msg.sender, address(this)); does not explicitly include this check and may result in loss of funds for the user.

Proof of Concept

    function claimFees() external override returns (uint256 assets) {
        if (msg.sender != IRegistry(registry).getFeeCollector()) {
            revert UnauthorizedCaller();
        }
        uint256 ibts = unclaimedFeesInIBT;
        unclaimedFeesInIBT = 0;
        assets = IERC4626(ibt).redeem(ibts, msg.sender, address(this));
        emit FeeClaimed(msg.sender, ibts, assets);
    }

The worst possible scenario in the context of the redeem() function in ERC4626 tokens, considering the discrepancy between the expected behavior outlined in the OpenZeppelin documentation and the actual implementation observed in the claimFees() function, could involve a failure to properly handle cases such as:

  • Slippage: Slippage occurs when the price of an asset changes between the time of a transaction and the time it is executed. If the redeem() function does not revert when slippage is too high, users might end up with less value in their redemption than they expected. This is because the price of the underlying assets could have decreased between the time the redemption request was made and when it was processed, leading to a loss of value.

Tools Used

Manual Review

To ensure that the contract behaves as expected and adheres to the guidelines provided by OpenZeppelin, you might consider adding explicit checks or conditions before calling the redeem() function.

Assessed type

ERC4626

#0 - c4-pre-sort

2024-03-03T12:45:26Z

gzeon-c4 marked the issue as duplicate of #198

#1 - c4-pre-sort

2024-03-03T12:45:29Z

gzeon-c4 marked the issue as sufficient quality report

#2 - c4-pre-sort

2024-03-03T14:13:38Z

gzeon-c4 marked the issue as duplicate of #253

#3 - c4-judge

2024-03-11T01:42:39Z

JustDravee marked the issue as unsatisfactory: Invalid

#4 - c4-judge

2024-03-14T21:47:34Z

JustDravee changed the severity to QA (Quality Assurance)

#5 - c4-judge

2024-03-14T21:48:08Z

JustDravee marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter