search

code-423n4 / 2023-01-ondo-findings

0 stars 0 forks source link

Insufficient Input Validation Leading to Excessive Token Burn. #333

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-01-ondo/blob/f3426e5b6b4561e09460b2e6471eb694efdd6c70/contracts/cash/CashManager.sol#L672-L674

Vulnerability details

Impact

This vulnerability allows a malicious user to redeem an amount of cash tokens that is less than the minimum redemption amount or more than the user's actual balance. This bug can be considered as a high severity bug, as it allows an attacker to burn an excessive amount of cash tokens from a user's balance, potentially resulting in financial loss for the user.

Proof of Concept

A proof of concept for an attack on this function could involve an attacker, lets say "Bob," calling requestRedemption with a large value for amountCashToRedeem that exceeds their current balance of cash tokens. Since there is no check to ensure that the user has enough cash tokens, the function would proceed and burn an excessive amount of cash tokens from the user's balance.

Here's an example of a proof of concept for an attack on the requestRedemption function:

1.) Bob starts with a balance of 10000 cash tokens 2.) Bob calls requestRedemption with an amount of 20000 cash tokens 3.) Since there is no check to ensure that Bob has enough cash tokens, the function proceeds and burns 2000 cash tokens from Bob's balance 4.) Bob's balance is now -10000 cash tokens

You can see that the calculation of Bob's cash token balance before and after the attack:

Initial balance : 10000 Requested amount : 20000 Final balance : -10000

In this example, Bob was able to exploit the lack of input validation in the requestRedemption function to burn more cash tokens than he actually had, resulting in a negative balance.

What happen if less than minimum ?

1.) Bob calls requestRedemption with amountCashToRedeem = 100 and minimumRedeemAmount = 1000 2.) The function checks if amountCashToRedeem < minimumRedeemAmount which evaluates to true 3.) The function reverts and throws the error WithdrawRequestAmountTooSmall 4.) Bob is unable to redeem cash tokens as the requested amount is less than the minimum redeem amount set on the contract.

Tools Used

Manual Review

Recommended Mitigation Steps

if (amountCashToRedeem >= minimumRedeemAmount) {
revert WithdrawRequestAmountTooSmall();
} 
if (amountCashToRedeem <= cash.balanceOf(msg.sender)) {
rever InvalidAmountRedemption();
}

This would prevent the function from proceeding if the user does not have enough cash tokens and will revert the transaction with the error message "Invalid amount for redemption".

c4-judge commented 1 year ago

trust1995 marked the issue as unsatisfactory: Insufficient proof