Back to merlin's contests

Ondo Finance - merlin's results

Institutional-Grade Finance. On-Chain. For Everyone.

General Information

Platform: Code4rena

Start Date: 01/09/2023

Pot Size: $36,500 USDC

Total HM: 4

Participants: 70

Period: 6 days

Judge: kirk-baird

Id: 281

League: ETH

Ondo Finance

Findings Distribution

Researcher Performance

Rank: 14/70

Findings: 1

Award: $771.30

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryOndo Finance

Findings Information

🌟 Selected for report: 0xAsen

Also found by: 0xStalin, Arz, BenRai, Delvir0, Inspecktor, merlin

Labels

bug
2 (Med Risk)
satisfactory
sufficient quality report
duplicate-136

Awards

771.2966 USDC - $771.30

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-09-ondo/blob/47d34d6d4a5303af5f46e907ac2292e6a7745f6c/contracts/usdy/rUSDY.sol#L672

Vulnerability details

The natspec documentation for the rUSDY.burn function contains a statement that reads: Admin burn function for burning rUSDY tokens from any account, which is inaccurate.

Proof-of-Concept

This function is intended for use in situations where a user possesses USDY but is legally prohibited from owning it. If a user is blocked, sanctioned, or not on the allowlist, then an account with the BURNER_ROLE will not be able to burn the user's tokens.

Include the following mock contract and test in the Test_rUSDY to examine it:

	contract BlockListMock {
  function isBlocked(address) external pure returns (bool) {
    return true;
  }
}

function test_rUSDY_adminCannotBurnFromBlocklistedAccount()
    public
    dealAndWrapAlice
  {
    vm.startPrank(guardian);
    BlockListMock blocklistContract = new BlockListMock();
    rUSDYToken.setBlocklist(address(blocklistContract));
    assertEq(address(rUSDYToken.blocklist()), address(blocklistContract));

    vm.expectRevert("rUSDY: 'sender' address blocked");
    rUSDYToken.burn(alice, 100e18);
  }

Impact

This does not align with the documentation, and the tokens that belonged to this user will be locked. However, any other users who are on the allowlist, not blocked, or sanctioned can have their tokens burned.

Tools Used

Manual

Please contemplate the possibility of enabling the burning of tokens exclusively from blocked or sanctioned accounts.

Assessed type

Context

#0 - c4-pre-sort

2023-09-08T15:18:10Z

raymondfam marked the issue as duplicate of #85

#1 - c4-pre-sort

2023-09-08T15:18:15Z

raymondfam marked the issue as sufficient quality report

#2 - c4-judge

2023-09-19T09:23:22Z

kirk-baird changed the severity to QA (Quality Assurance)

#3 - c4-judge

2023-09-26T23:49:04Z

This previously downgraded issue has been upgraded by kirk-baird

#4 - c4-judge

2023-09-26T23:49:11Z

kirk-baird marked the issue as not a duplicate

#5 - c4-judge

2023-09-26T23:50:31Z

kirk-baird marked the issue as duplicate of #136

#6 - c4-judge

2023-09-26T23:50:40Z

kirk-baird marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter