Spectra - smaul's results

Lines of code

https://github.com/code-423n4/2024-02-spectra/blob/main/src/tokens/PrincipalToken.sol#L460-L462 https://github.com/code-423n4/2024-02-spectra/blob/main/src/tokens/PrincipalToken.sol#L483-L485

Vulnerability details

Impact

Some Functions e.g. maxWithdraw(), maxRedeem() in the PrincipalToken Contract isn't Following the proper EIP-5095 standard which can create issue if someone want to integrate PrincipalToken with any other protocol and they expect those functions to be return 0 when pause but it will just revert the whole transaction and this can cause security issue the system.

Proof of Concept

maxWithdraw(), maxRedeem() functions are not following the proper EIP5095 standard. According to the EIP standard these functions should return 0 incase of pause but in this contract the functions will revert incase the contract is paused. Recommended EIP snippet;

MUST factor in both global and user-specific limits, like if redemption is entirely disabled (even temporarily) it MUST return 0.

MUST NOT revert.

As Spectra team specifically mentioned that this contract is compliant to EIP5095 standard, so the team should make sure it follows proper EIP guidelines.

PoC:

function testPauseShoudNotRevert() external {

uint256 amountToDeposit = 1e18;

_prepareForDepositIBT(testUser, amountToDeposit);

vm.startPrank(testUser);

ibt.approve(address(principalToken), amountToDeposit);

principalToken.depositIBT(amountToDeposit, testUser);

vm.stopPrank();

vm.prank(scriptAdmin);
principalToken.pause();

vm.prank(testUser);
uint wb = principalToken.maxWithdraw(testUser);
console.log("Withdrawable Balance Should be 0:", wb);

}

Tools Used

Manual Analysis

Recommended Mitigation Steps

Follow the EIP5095 guidelines and return 0 value for maxWithdraw(), maxRedeem() functions when the contract is paused.

Assessed type

Context