search

code-423n4 / 2022-06-notional-coop-findings

1 stars 1 forks source link

wfCash4626 withdraw method can settle the account #169

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-06-notional-coop/blob/main/notional-wrapped-fcash/contracts/wfCashERC4626.sol#L192

Vulnerability details

withdraw will revert if the account has not been settled yet. This is just due to the implementation and can be avoided by, well, settling the account.

Impact

withdraw reverts unnecessarily. Protocols and users which will use wfCash4626 will have to discover this and settle by themselves.

Proof of Concept

withdraw calls previewWithdraw, which ends up calling _getMaturedValue, which will revert if the account is not settled yet.

Recommended Mitigation Steps

Add to withdraw:

NotionalV2.settleAccount(address(this));

This will ensure that the account is settled and withdraw will not revert.

jeffywu commented 2 years ago

Agree, good find.

There is no loss of funds or functionality here so I would suggest that this is reduced to a QA suggestion, but a good one.

gzeoneth commented 2 years ago

As warden's QA report.