search

code-423n4 / 2023-01-ondo-findings

0 stars 0 forks source link

`claimMint` allows anyone to claim for `user` #294

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-01-ondo/blob/main/contracts/cash/CashManager.sol#L241

Vulnerability details

Impact

Claiming for other users without their consent might lead to undesired disadvantages

Proof of Concept

Consider the following scenario:

1) Alice deposits 1_000_000e6 USDC 2) The epochToExchangeRate for the current epoch is 1e6 3) Alice gambles with the hope that the exchange rate will be changed to 1e5 4) Bob calls claimMint with Alice's address, Alice will receive 1_000_000e18 cash tokens 5) Admin changes epochToExchangeRate to 1e5 6) Alice received less tokens than she expected due to Bob's unauthorized call, if Bob wouldn't have executed the call, Alice would have received 10_000_000e18 cash tokens.

Tools Used

VSCode

Recommended Mitigation Steps

Consider either only allowing msg.sender to claim their own tokens or implement a logic that allows Alice to authorize other addresses to call claimMint on her behalf.

c4-judge commented 1 year ago

Duplicate of https://github.com/code-423n4/2023-01-ondo-findings/issues/318

c4-judge commented 1 year ago

trust1995 marked the issue as grade-b

tom2o17 commented 1 year ago

Intended functionality that a 3rd party can claim on behalf of

c4-sponsor commented 1 year ago

tom2o17 marked the issue as sponsor acknowledged