c4-judge
commented
1 year ago trust1995 marked the issue as unsatisfactory: Invalid
Closed code423n4 closed 1 year ago
c4-judge
commented
1 year ago trust1995 marked the issue as unsatisfactory: Invalid
c4-sponsor
commented
1 year ago tom2o17 marked the issue as sponsor disputed
tom2o17
commented
1 year ago It is intended functionality that a third party may claim on behalf of. cc @ypatil12 @cameronclifton
Lines of code
https://github.com/code-423n4/2023-01-ondo/blob/f3426e5b6b4561e09460b2e6471eb694efdd6c70/contracts/cash/CashManager.sol#L241-L269
Vulnerability details
Impact
this can cause poor management of the tokens on the go, without the end customer being aware that any other person will be able to start the claim process without the consent of the owner of the tokens. This is caused by the fact that a KYC check is made on the user entered, not the msg.sender, which up to now could be fine, but the problem occurs since it does not verify that the msg.sender is actually the user entered
Proof of Concept
bob: has deposited some collateral and now has 20 cash ready to be claim of an old epoch Alice: call the "claimMint" function using bob's address as parameter and initialize "claimMint" for bob even if bob doesn't even intend to
the problem is not the funds (which end up in the right wallets) but the consensus that Alice should not have had in performing that function.
Tools Used
Recommended Mitigation Steps
check that the msg.sender is the same as the user entered, or create an authorization system between wallets that can delegate certain functions