Platform: Code4rena
Start Date: 23/02/2024
Pot Size: $36,500 USDC
Total HM: 2
Participants: 39
Period: 7 days
Judge: Dravee
Id: 338
League: ETH
Rank: 16/39
Findings: 1
Award: $107.43
🌟 Selected for report: 0
🚀 Solo Findings: 0
107.431 USDC - $107.43
https://github.com/code-423n4/2024-02-spectra/blob/main/src/tokens/PrincipalToken.sol#L229-L237 https://github.com/code-423n4/2024-02-spectra/blob/main/src/tokens/PrincipalToken.sol#L278-L287 https://github.com/code-423n4/2024-02-spectra/blob/main/src/tokens/PrincipalToken.sol#L483-L485
There are several functions that don't follow the ERC-5095 standard, the redeem() and withdraw() with all of their variations: MUST support a withdraw flow where the principal tokens are burned from holder directly where holder is msg.sender or msg.sender has EIP-20 approval over the principal tokens of holder as per the standard. Not following this part of the standard severely limits the functionality of the protocol. The maxRedeem() function MUST factor in both global and user-specific limits, like if redemption is entirely disabled (even temporarily) it MUST return 0. This is not the case as the _beforeRedeem() function which is called in redeem() has the pause modifier, and if redemption is paused temporarily after maturity maxRedeem() will be returning the maxBurnable value instead of 0. maxWithdraw() function has the same requirement as maxRedeem() as per the standard, and fails to follow it in the same manner.
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
Manual Review
Follow the ERC5095 standard, for the redeem() and withdraw() functions consider the same implementation openzeppelin uses in their ERC4626 implementation
if (caller != owner) { _spendAllowance(owner, caller, shares); }
Context
#0 - c4-pre-sort
2024-03-03T09:18:59Z
gzeon-c4 marked the issue as duplicate of #33
#1 - c4-pre-sort
2024-03-03T09:19:15Z
gzeon-c4 marked the issue as sufficient quality report
#2 - c4-judge
2024-03-11T00:29:00Z
JustDravee marked the issue as partial-75
#3 - AtanasDimulski
2024-03-12T07:40:00Z
@JustDravee thanks for judging the contest in such a fast manner. I would urge you to reconsider the partial-75 label on this issue. I have pointed out the exact same functions that are not compatible with the ERC-5095 standard as the primary issue selected for this vulnerability. I have provided an exact code fix for the redeem() and withdraw() functions, contrary to the simple recommendation in the primary report, and I have also categorized the issue correctly, which the primary selected report has failed to do. I could even argue that this report is better than the primary, but I understand this is subjective. Nevertheless this report should be classified as a complete duplicate, and not a partial-75.
#4 - JustDravee
2024-03-14T06:56:58Z
Hey @AtanasDimulski,
It's true that you mentioned all issues in Impact, even if your recommendation led to think that you forgot some compliance issues.
Please, next time, use newlines for each category :)
But you're right, your list is complete, I'm removing the partial.
#5 - c4-judge
2024-03-14T06:57:03Z
JustDravee marked the issue as satisfactory