search

code-423n4 / 2022-02-anchor-findings

0 stars 0 forks source link

Any undelegation may be blocked due to condition in execute_unbond function #63

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-02-anchor/blob/7af353e3234837979a19ddc8093dc9ad3c63ab6b/contracts/anchor-bAsset-contracts/contracts/anchor_basset_hub/src/unbond.rs#L76-L81

Vulnerability details

Any undelegation may be blocked due to condition in execute_unbond function

Impact

The execute_unbond function currently returns an error when the undelegation_amount equals one in anchor-bAsset-contracts/contracts/anchor_basset_hub/src/unbond.rs That error will abort the execute_unbond function when the epoch_period has been passed in such a state. A malicious user could simply wait for an empty undelegation batch for bLuna token, and then unbond an unit of token which makes undelegation_amount = 1.

If the contract ends in such a state, the only way to recover would be to drastically change the exchange rate such that the undelegation_amount is not equal to one, which may be costly.

Proof of Concept

Contract : anchor-bAsset-contracts/contracts/anchor_basset_hub/src/unbond.rs Function : pub(crate) fn execute_unbond(...) Line 77 : 

        // the contract must stop if
        if undelegation_amount == Uint128::new(1) {
            return Err(StdError::generic_err(
                "Burn amount must be greater than 1 ubluna",
            ));
        }

Recommended Mitigation Steps

Its recommended to remove the condition in anchor-bAsset-contracts/contracts/anchor_basset_hub/src/unbond.rs line 77 or, alternatively, returning Ok instead of an Err.

GalloDaSballo commented 2 years ago

Seems reliant on external conditions