search

code-423n4 / 2023-01-ondo-findings

0 stars 0 forks source link

MANAGER_ADMIN has the right to give or take any amount of user's tokens using setPendingMintBalance. #235

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-01-ondo/blob/f3426e5b6b4561e09460b2e6471eb694efdd6c70/contracts/cash/CashManager.sol#L336-L350

Vulnerability details

Impact

Not sure what the use case of setPendingMintBalance() should be, but it can cause admins to drain the whole balance, nullify the user's funds or break the protocol. This can be caused on purpose, accidentally or through an attacker stealing MANAGER_ADMIN's private key.

Proof of Concept

  1. If MANAGER_ADMIN calls 

    setPendingMintBalance(userAddr, 1, 10,0)

    , it would cause userAddr to lose all the collateral deposited.

  2. If MANAGER_ADMIN calls 

    setPendingMintBalance(managerAddr, 1, 0, max)

    , then managerAddr can mint any amount of cash and then redeem it to take all the collateral.

  3. If MANAGER_ADMIN calls 

    setPendingMintBalance(someAddress, 1, 1, 2)

    , then the address can withdraw more tokens than he deposited and thus taking someone else's collateral out of the protocol (stealing someone else's funds).

Tools Used

Manual review

Recommended Mitigation Steps

Remove the function setPendingMintBalance

c4-judge commented 1 year ago

trust1995 marked the issue as unsatisfactory: Out of scope