Ethena Labs - asui's results

Lines of code

https://github.com/code-423n4/2023-10-ethena/blob/ee67d9b542642c9757a6b826c82d0cae60256509/contracts/StakedUSDe.sol#L148-L149

Vulnerability details

Impact

When the redistributeLockedAmount function in the StakedUSDe.sol is called by the owner to distribute the FULL_RESTRICTED_STAKER_ROLE's tokens to an address the SOFT_RESTRICTED_STAKER_ROLE is not checked. So the SOFT_RESTRICTED_STAKER_ROLE can still get rewards despite being blacklisted. There is a check for if (hasRole(FULL_RESTRICTED_STAKER_ROLE, from) && !hasRole(FULL_RESTRICTED_STAKER_ROLE, to)) FULL_RESTRICTED_STAKER_ROLE but missing check for SOFT_RESTRICTED_STAKER_ROLE.

The documentation below states that the the SOFT_RESTRICTED_STAKER_ROLE cannot be provided yield or deposit but can buy or sell on the open market however this is directly from the contract. Due to legal requirements, there's a SOFT_RESTRICTED_STAKER_ROLE and FULL_RESTRICTED_STAKER_ROLE. The former is for addresses based in countries we are not allowed to provide yield to, for example USA. Addresses under this category will be soft restricted. They cannot deposit USDe to get stUSDe or withdraw stUSDe for USDe. However they can participate in earning yield by buying and selling stUSDe on the open market.

Proof of Concept

//SPDX-License-Identifier: MIT
pragma solidity 0.8.19;

import {ERC20} from "@openzeppelin/contracts/token/ERC20/ERC20.sol";

import {Test} from "forge-std/Test.sol";
import {console} from "forge-std/console.sol";
import {StakedUSDe} from "contracts/StakedUSDe.sol";

contract mockUSDe is ERC20("mock USDe", "USDe") {
  function mint(address to, uint256 amount) public {
    _mint(to, amount);
  }
}

contract testStakedUSDe is Test {
  mockUSDe public USDe;
  StakedUSDe public stakedUSDe;

  address rewarder = makeAddr("REWARDER_ROLE");
  address owner = makeAddr("DEFAULT_ADMIN_ROLE");
  address Alice = makeAddr("alice");
  address user1 = makeAddr("user1");
  address user2 = makeAddr("user2");
  address blacklistManager = makeAddr("blacklist");

  function setUp() public {
    USDe = new mockUSDe();
    stakedUSDe = new StakedUSDe(USDe, rewarder, owner);

    // USDe.mint(rewarder, 1000 ether);
    // USDe.mint(Alice, 100 ether);
    USDe.mint(user1, 10 ether);
    USDe.mint(user2, 20 ether);

    vm.prank(owner);
    stakedUSDe.grantRole(keccak256("BLACKLIST_MANAGER_ROLE"), blacklistManager);
  }

  function testSoftRestricted() public {
    vm.startPrank(user1);
    USDe.approve(address(stakedUSDe), 10 ether);
    stakedUSDe.deposit(10 ether, user1);

    console.log(stakedUSDe.balanceOf(user1));

    vm.startPrank(user2);
    USDe.approve(address(stakedUSDe), 10 ether);
    stakedUSDe.deposit(10 ether, user2);
    

    vm.startPrank(blacklistManager);
    stakedUSDe.addToBlacklist(user1, false);
    stakedUSDe.addToBlacklist(user2, true);

    vm.startPrank(owner);
    stakedUSDe.redistributeLockedAmount(user2, user1);

    console.log(stakedUSDe.balanceOf(user1));
    
  }

create a new test file and paste the whole code above.

Tools Used

manual, foundry.

Recommended Mitigation Steps

add if (hasRole(SOFT_RESTRICTED_STAKER_ROLE, to) revert custom error in the redistributeLockedAmount function.

Assessed type

Invalid Validation