c4-judge
commented
1 year ago trust1995 changed the severity to QA (Quality Assurance)
Closed code423n4 closed 1 year ago
c4-judge
commented
1 year ago trust1995 changed the severity to QA (Quality Assurance)
c4-judge
commented
1 year ago trust1995 marked the issue as grade-b
wilsoncusack
commented
1 year ago Yes we trust the user to pass a correct mintTo. There are many addresses aside from address(0) that would leave the user unable to access the funds.Probably won't fix.
c4-sponsor
commented
1 year ago wilsoncusack marked the issue as sponsor acknowledged
Lines of code
https://github.com/with-backed/papr/blob/9528f2711ff0c1522076b9f93fba13f88d5bd5e6/src/PaprToken.sol#L24-L26 https://github.com/with-backed/papr/blob/9528f2711ff0c1522076b9f93fba13f88d5bd5e6/src/PaprController.sol#L144
Vulnerability details
Impact
In PaprToken contract, the
mint(to, amount)function didn't check iftoexists.mint()calls_mint(to, amount), which didn't checktoeither. So, the responsibility of making suretois acutally an intended correct address is fully on the caller. Thus, PaprTokens might be possibly minted to:POC
In some scenarios, the above situation may happen. For example, a user calls
PaprController.increaseDebt(mintTo, asset, amount,oracleInfo)which inturn calls_increaseDebt({account: msg.sender, asset: asset, mintTo: mintTo, amount: amount, oracleInfo: oracleInfo}), wheremintTois the address to mint the debt to, i.e. PaprToken receiver. However,mintTowas not checked in the whole call chain. This leaves all possibilites possible:mintToto address(0), those tokens will be lost forever;minToto the PaprToken address (this has happened a lot in blockchain world and has locked numerous ERC20 tokens), minted tokens will be locked in the contract;minToto any valid non-existing address, the minted token will be trapped in the contract.Tools Used
Manual audit.
Recommended Mitigation Steps
mintTois a non-zero address;rescuefunctionality which is able to rescue any tokens trapped in PaprToken contract with some policies in place.