Platform: Code4rena
Start Date: 21/07/2023
Pot Size: $90,500 USDC
Total HM: 8
Participants: 60
Period: 7 days
Judge: 0xean
Total Solo HM: 2
Id: 264
League: ETH
Rank: 29/60
Findings: 1
Award: $471.90
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Juntao
Also found by: Jiamin, Juntao, UniversalCrypto, auditsea, circlelooper, crunch, lanrebayode77, vangrim, zaevlad
471.8972 USDC - $471.90
Community approval can be bypassed to spend funds in ArcadeTreasury.
Funds in ArcadeTreasury can be spent by GSC or accounts approved by GSC, the spends should not be larger than GSC allowance, which could be set by ADMIN_ROLE through setGSCAllowance method.
function setGSCAllowance(address token, uint256 newAllowance) external onlyRole(ADMIN_ROLE) { if (token == address(0)) revert T_ZeroAddress("token"); if (newAllowance == 0) revert T_ZeroAmount(); // enforce cool down period if (uint48(block.timestamp) < lastAllowanceSet[token] + SET_ALLOWANCE_COOL_DOWN) { revert T_CoolDownPeriod(block.timestamp, lastAllowanceSet[token] + SET_ALLOWANCE_COOL_DOWN); } uint256 spendLimit = spendThresholds[token].small; // new limit cannot be more than the small threshold if (newAllowance > spendLimit) { revert T_InvalidAllowance(newAllowance, spendLimit); } // update allowance state lastAllowanceSet[token] = uint48(block.timestamp); gscAllowance[token] = newAllowance; emit GSCAllowanceUpdated(token, newAllowance); }
It is worth noting that this method does not reset the token allowance approved by GSC, it's possible that GSC approve larger allowance than the new GSC allowance before the update.
Let's assume: GSC approves 1000e18 to Bob, following that ADMIN_ROLE sets GSC allowance to 500e18, meaning if spends higher than 500e18 should be approved by community, however, Bob's allowance is not reset, he can bypass community approval to spend more than 500e18 tokens.
Manual Review
Token allowance should be reset if GSC allowance is updated.
Access Control
#0 - c4-pre-sort
2023-07-29T16:27:46Z
141345 marked the issue as duplicate of #480
#1 - c4-pre-sort
2023-07-29T16:42:14Z
141345 marked the issue as duplicate of #59
#2 - c4-pre-sort
2023-08-01T07:07:19Z
141345 marked the issue as duplicate of #58
#3 - c4-judge
2023-08-10T14:42:48Z
0xean changed the severity to 2 (Med Risk)
#4 - c4-judge
2023-08-11T01:40:41Z
0xean marked the issue as satisfactory
🌟 Selected for report: Juntao
Also found by: Jiamin, Juntao, UniversalCrypto, auditsea, circlelooper, crunch, lanrebayode77, vangrim, zaevlad
471.8972 USDC - $471.90
GSC cannot reduce ArcadeTreasury token allowance.
GSC can approve tokens to be pulled from the treasury by calling gscApprove method, the approved allowance will be deducted from GSC allowance.
function gscApprove( address token, address spender, uint256 amount ) external onlyRole(GSC_CORE_VOTING_ROLE) nonReentrant { if (spender == address(0)) revert T_ZeroAddress("spender"); if (amount == 0) revert T_ZeroAmount(); // Will underflow if amount is greater than remaining allowance gscAllowance[token] -= amount; _approve(token, spender, amount, spendThresholds[token].small); }
It's possible that GSC cannot reduce the allowance due to underflow. Let's assume: GSC allowance is 1500e18, GSC approves 1000e18 tokens to Bob and GSC allowance becomes 500e18 (1500e18 - 1000e18), if GSC want to reduce Bob's allowance to 800e18, transaction will fail because of the underflow (500e18 - 800e18).
Manual Review
Please consider to not reduce GSC allowance if new approve allowance is less than old approve allowance.
Access Control
#0 - c4-pre-sort
2023-07-29T14:01:58Z
141345 marked the issue as duplicate of #58
#1 - c4-judge
2023-08-10T14:42:48Z
0xean changed the severity to 2 (Med Risk)
#2 - c4-judge
2023-08-11T01:40:40Z
0xean marked the issue as satisfactory