The method for processing refunds has no input validation. If Bob burns 100 CASH and Alice burns 1 CASH, and the manager wants to refund Alice and pay out Bob, they are able to swap the refund parameters. This would result in Alice getting the entire collateral redemption amount for her 1 CASH, and Bob would get a refund of 100 CASH, even though this was not intended. The method should safeguard refunds for users who exceeded the minimum redemption amount.
Proof of Concept
See the description above
Tools Used
None
Recommended Mitigation Steps
Introduce some validation. Use a threshold parameter, and do not simply refund users who exceeded it
Lines of code
https://github.com/code-423n4/2023-01-ondo/blob/f3426e5b6b4561e09460b2e6471eb694efdd6c70/contracts/cash/CashManager.sol#L720
Vulnerability details
Impact
The method for processing refunds has no input validation. If Bob burns 100 CASH and Alice burns 1 CASH, and the manager wants to refund Alice and pay out Bob, they are able to swap the refund parameters. This would result in Alice getting the entire collateral redemption amount for her 1 CASH, and Bob would get a refund of 100 CASH, even though this was not intended. The method should safeguard refunds for users who exceeded the minimum redemption amount.
Proof of Concept
See the description above
Tools Used
None
Recommended Mitigation Steps
Introduce some validation. Use a threshold parameter, and do not simply refund users who exceeded it