Platform: Code4rena
Start Date: 24/10/2023
Pot Size: $36,500 USDC
Total HM: 4
Participants: 147
Period: 6 days
Judge: 0xDjango
Id: 299
League: ETH
Rank: 132/147
Findings: 1
Award: $4.52
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xmystery
Also found by: 0x11singh99, 0xAadi, 0xAlix2, 0xG0P1, 0xStalin, 0xWaitress, 0x_Scar, 0xhacksmithh, 0xhunter, 0xpiken, Al-Qa-qa, Arz, Avci, Bauchibred, BeliSesir, Breeje, Bughunter101, DarkTower, Eeyore, Fitro, HChang26, Imlazy0ne, J4X, JCK, Kaysoft, Kral01, Madalad, Mike_Bello90, Noro, PASCAL, PENGUN, Proxy, Rickard, Shubham, SovaSlava, Strausses, Team_Rocket, ThreeSigma, Topmark, Udsen, Walter, Yanchuan, Zach_166, ZanyBonzy, adam-idarrha, adeolu, almurhasan, arjun16, ast3ros, asui, ayden, btk, cartlex_, castle_chain, cccz, chainsnake, codynhat, critical-or-high, cryptonue, csanuragjain, deepkin, degensec, dirk_y, erebus, foxb868, ge6a, hunter_w3b, jasonxiale, kkkmmmsk, lanrebayode77, lsaudit, marchev, matrix_0wl, max10afternoon, nuthan2x, oakcobalt, oxchsyston, pavankv, peanuts, pep7siup, pipidu83, pontifex, ptsanev, qpzm, radev_sw, rokinot, rotcivegaf, rvierdiiev, sorrynotsorry, squeaky_cactus, supersizer0x, tnquanghuy0512, twcctop, twicek, young, zhaojie, ziyou-
4.5226 USDC - $4.52
https://github.com/code-423n4/2023-10-ethena/blob/main/contracts/StakedUSDeV2.sol#L78-L90
In case if account is sanctioned, then owner BLACKLIST_MANAGER_ROLE can blacklist such account and mark it as FULL_RESTRICTED_STAKER_ROLE.
In this case account can't do anything with its funds anymore and they can be confiscated.
Of course, user can frontrun this tx in order to avoid block and transfer his funds to another account. Protocol team say that this will be fixed by using flashbots relay to hide tx, so attacker can't frontrun it.
StakedUSDeV2 contract has cooldownDuration period. This means that when account redeems or withdraws, then redeemed funds are first sent to the silo contract and only when cooldownDuration period will pass, then user will be able to withdraw funds. StakedUSDeV2.unstake function nor silo contract doesn't check if user has BLACKLIST_MANAGER_ROLE and just allow withdraw.
Because of that it's possible that sanctioned account will try to withdraw from StakedUSDeV2 before he is marked as BLACKLIST_MANAGER_ROLE and his fudns will go to the silo contract. Some time after, protocol will receive info that account is sanctioned and will mark it as BLACKLIST_MANAGER_ROLE, but this will not lock funds and sanctioned attacker will be able to withdraw them.
Sanctioned account have ability to save funds.
VsCode
Make unstake function check if account is BLACKLIST_MANAGER_ROLE. And also create function similar to redistributeLockedAmount that can transfer locked assets from silo to another address.
Error
#0 - c4-pre-sort
2023-10-31T01:05:14Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2023-10-31T01:07:47Z
raymondfam marked the issue as duplicate of #62
#2 - c4-judge
2023-11-13T20:30:48Z
fatherGoose1 marked the issue as not a duplicate
#3 - fatherGoose1
2023-11-13T20:32:09Z
Valid design recommendation, but does not violate business logic of the Ethena system.
#4 - c4-judge
2023-11-13T20:32:15Z
fatherGoose1 changed the severity to QA (Quality Assurance)
#5 - c4-judge
2023-11-13T20:32:19Z
fatherGoose1 marked the issue as grade-b