The _processRedemption function has the quantityBurned as input parameter, which is the leftover from all cash burns from the desired round, after refunds have been deducted. Moreover the function has redeemers as parameter, which are all participants of the desired round that have requested a redemption. Therefore the quantityBurned parameter should be the sum of redemptionInfoPerEpoch[epochToService].addressToBurnAmt[redeemer]; for all redeemers. However, the function lacks a sanity check to ensure this is in fact the case. This might lead to undesired decreased redemptions in case of human error (partially wrong input).
Tools Used
VSCode
Recommended Mitigation Steps
Consider implementing a check that the sum of redemptionInfoPerEpoch[epochToService].addressToBurnAmt[redeemer]; for all redeemers indeed match quantityBurned amount to ensure no one is left out.
Lines of code
https://github.com/code-423n4/2023-01-ondo/blob/main/contracts/cash/CashManager.sol#L755
Vulnerability details
Impact
Redeemers might be accidentally left out
Proof of Concept
The
_processRedemption
function has thequantityBurned
as input parameter, which is the leftover from all cash burns from the desired round, after refunds have been deducted. Moreover the function hasredeemers
as parameter, which are all participants of the desired round that have requested a redemption. Therefore thequantityBurned
parameter should be the sum ofredemptionInfoPerEpoch[epochToService].addressToBurnAmt[redeemer];
for allredeemers
. However, the function lacks a sanity check to ensure this is in fact the case. This might lead to undesired decreased redemptions in case of human error (partially wrong input).Tools Used
VSCode
Recommended Mitigation Steps
Consider implementing a check that the sum of
redemptionInfoPerEpoch[epochToService].addressToBurnAmt[redeemer];
for allredeemers
indeed matchquantityBurned
amount to ensure no one is left out.This could be a way to implement the aforementioned sanity check.