c4-judge
commented
1 year ago Closed code423n4 closed 1 year ago
c4-judge
commented
1 year ago 
trust1995
commented
1 year ago This is more of a property of blockchains rather than a vulnerability.
c4-judge
commented
1 year ago trust1995 marked the issue as grade-b
c4-judge
commented
1 year ago trust1995 marked the issue as grade-a
Lines of code
https://github.com/code-423n4/2023-01-ondo/blob/main/contracts/cash/CashManager.sol#L336-L350
Vulnerability details
Impact
In the function
setPendingMintBalanceof the CashManager.sol there is a strict uint256 not equal (!=) check inside anifstatement, betweenoldBalanceandmintRequestsPerEpoch[epoch][user]. And this function is given the role ofMANAGER_ADMIN. So if theMANAGER_ADMINdecides to decrease the balance ofuser, thenusercan front run this transaction by callingrequestMint()function and changing hismintRequestsPerEpoch[currentEpoch][msg.sender]value. Since the value ofmintRequestsPerEpoch[currentEpoch][msg.sender]changes for theuserit will no longer be equal to theoldBalanceinsetPendingMintBalancefunction. Hence the transaction will revert withUnexpectedMintBalance()error code.Proof of Concept
Above if condition can be made false by changing the
mintRequestsPerEpoch[epoch][user]value, if the MANAGER_ADMIN decides to decrease the balance of the user. User can do this by calling therequestMintfunction and changing themintRequestsPerEpoch[currentEpoch][msg.sender]using below line of code.Hence the user can claim more token balance before the MANAGER_ADMIN can change the balance amount using the
setPendingMintBalancecommand.Tools Used
Manual Review.
Recommended Mitigation Steps
Should prevent user from calling the
requestMintfunction whilesetPendingMintBalancefunction is being called by the MANAGER_ADMIN. This can be done by using boolean values and changing thier state accordingly whensetPendingMintBalancefunction is called.