Open code423n4 opened 1 year ago
The finding illustrates how a reserve token could be minted for a removed tier, and this token used to redeem funds.
Picodes marked the issue as satisfactory
@Picodes This one seems to be a subset of this finding https://github.com/code-423n4/2022-10-juicebox-findings/issues/191
Thank you for flagging, I will think about it!
Although it is in the same lines and functionalities, I don't think this one is a subset of #191: this one is about the fact that you can still mint when it's deactivated, and #191 is about the rounding feature itself
Lines of code
https://github.com/jbx-protocol/juice-nft-rewards/blob/f9893b1497098241dd3a664956d8016ff0d0efd0/contracts/JBTiered721DelegateStore.sol#L808
Vulnerability details
Description
Tiers in Juicebox can be deactivated using the adjustTiers() function. It makes sense that reserve tokens may be minted in deactivated tiers, in order to be consistent with already minted tokens. However, the code allows the first reserve token to be minted in a deactivated tier, even though there was no previous minting of that tier.
Using the rounding mechanism is not valid when the tier has been deactivated, since we know there won't be any minting of this tier.
Impact
The reserve beneficiary receives an unfair NFT which may be used to withdraw tokens using the redemption mechanism.
Tools Used
Manual audit
Recommended Mitigation Steps
If Juicebox intends to use rounding functionality, pass an argument isDeactivated which, if true, deactivated the rounding logic.