Platform: Code4rena
Start Date: 18/10/2023
Pot Size: $36,500 USDC
Total HM: 17
Participants: 77
Period: 7 days
Judge: MiloTruck
Total Solo HM: 5
Id: 297
League: ETH
Rank: 37/77
Findings: 1
Award: $94.01
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: MrPotatoMagic
Also found by: 0xMosh, 0xPsuedoPandit, 0xhacksmithh, 8olidity, Al-Qa-qa, Baki, Bughunter101, Krace, Stormreckson, T1MOH, Tendency, eeshenggoh, fibonacci, hals, immeas, kutugu, lsaudit, m4k2, mrudenko, okolicodes, phoenixV110, spark, twicek, xAriextz
94.0139 USDC - $94.01
The quitSystem function in the ODSafeManager contract allows a user to move their collateral to another destination. However, there's a critical oversight in the function: it doesn't check if the collateral type of the source matches the collateral type of the destination. This means a user can inadvertently (or maliciously) move collateral of one type to a destination expecting a different type. The destination then ends up with collateral it cannot use, potentially leading to financial loss or other unintended consequences.
function quitSystem(uint256 _safe, address _dst) external safeAllowed(_safe) handlerAllowed(_dst) { SAFEData memory _sData = _safeData[_safe]; ISAFEEngine.SAFE memory _safeInfo = ISAFEEngine(safeEngine).safes(_sData.collateralType, _sData.safeHandler); int256 _deltaCollateral = _safeInfo.lockedCollateral.toInt(); int256 _deltaDebt = _safeInfo.generatedDebt.toInt(); //@audit-issue missed check for source and destination collateral types ISAFEEngine(safeEngine).transferSAFECollateralAndDebt( _sData.collateralType, _sData.safeHandler, _dst, _deltaCollateral, _deltaDebt ); // Remove safe from owner's list (notice it doesn't erase safe ownership) _usrSafes[_sData.owner].remove(_safe); _usrSafesPerCollat[_sData.owner][_sData.collateralType].remove(_safe); emit QuitSystem(msg.sender, _safe, _dst); }
The quitSystem function lacks a check to ensure that the collateral type of the source (_srcData.collateralType) matches the collateral type of the destination (_dstData.collateralType).
Manual review
Before executing the logic inside the quitSystem function, insert a check to ensure that the collateral types match:
SAFEData memory _dstData = _safeData[_safeDst]; if (_srcData.collateralType != _dstData.collateralType) revert CollateralTypesMismatch();
Alternatively, consider using the moveSAFE function if it already implements the necessary checks and logic for safely moving collateral between addresses.
Context
#0 - c4-pre-sort
2023-10-26T03:29:43Z
raymondfam marked the issue as low quality report
#1 - c4-pre-sort
2023-10-26T03:29:57Z
raymondfam marked the issue as duplicate of #90
#2 - c4-pre-sort
2023-10-27T06:21:11Z
raymondfam marked the issue as sufficient quality report
#3 - c4-pre-sort
2023-10-27T06:21:17Z
raymondfam marked the issue as not a duplicate
#4 - c4-pre-sort
2023-10-27T06:21:33Z
raymondfam marked the issue as duplicate of #285
#5 - c4-judge
2023-11-02T05:57:47Z
MiloTruck changed the severity to QA (Quality Assurance)
#6 - c4-judge
2023-11-03T18:01:56Z
MiloTruck marked the issue as grade-a