search

code-423n4 / 2021-12-vader-findings

0 stars 0 forks source link

USDV minting limit is not applied if `cycleTimestamp <= block.timestamp` #45

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Handle

TomFrenchBlockchain

Vulnerability details

Impact

Minting protections can be bypassed in some circumstances.

Proof of Concept

See link:

https://github.com/code-423n4/2021-12-vader/blob/fd2787013608438beae361ce1bb6d9ffba466c45/contracts/tokens/USDV.sol#L78-L87

Should we go down the first branch of if statement then we never reach the require statement.

Recommended Mitigation Steps

Apply require statement to both branches.

0xstormtrooper commented 2 years ago

Suggested code change

        if (cycleTimestamp <= block.timestamp) {
            cycleTimestamp = block.timestamp + 24 hours;
            cycleMints = uAmount;
            require(uAmount <= dailyLimit);
        } else {
            cycleMints += uAmount;
            require(
                cycleMints <= dailyLimit,
                "USDV::mint: 24 Hour Limit Reached"
            );
        }