Closed code423n4 closed 1 year ago
trust1995 marked the issue as primary issue
trust1995 marked the issue as satisfactory
0xLightt marked the issue as sponsor acknowledged
0xLightt marked the issue as disagree with severity
The reason burning only exists in bHermesVotes is for it to be used in PartnerUtilityManager
and ERC4626PartnerManager
here.
Will demote to QA due to impact considerations.
trust1995 changed the severity to QA (Quality Assurance)
trust1995 marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2023-05-maia/blob/53c7fe9d5e55754960eafe936b6cb592773d614c/src/hermes/tokens/bHermesVotes.sol#L35-L37 https://github.com/code-423n4/2023-05-maia/blob/53c7fe9d5e55754960eafe936b6cb592773d614c/src/hermes/tokens/bHermesVotes.sol#L39-L42 https://github.com/code-423n4/2023-05-maia/blob/62f4f01a522dcbb4b9abfe2f6783bbb67c0da022/src/erc-20/ERC20Gauges.sol#L485-L488 https://github.com/code-423n4/2023-05-maia/blob/62f4f01a522dcbb4b9abfe2f6783bbb67c0da022/src/erc-20/ERC20Boost.sol#L302-L304
Vulnerability details
Impact
The
bHermesVotes
contract has the followingbHermesVotes.burn
function, which is only callable by thebHermes
contract due to thebHermesVotes.onlybHermes
modifier that is called by this function. However, thebHermes
contract does not have a function that calls thebHermesVotes.burn
function. Hence, although the function for burning the bHermesVotes tokens exists, there is no way to burn such tokens should the need for burning such tokens, such as for burning these owned by thebHermes
contract, arise.https://github.com/code-423n4/2023-05-maia/blob/53c7fe9d5e55754960eafe936b6cb592773d614c/src/hermes/tokens/bHermesVotes.sol#L35-L37
https://github.com/code-423n4/2023-05-maia/blob/53c7fe9d5e55754960eafe936b6cb592773d614c/src/hermes/tokens/bHermesVotes.sol#L39-L42
Similarly, the following
ERC20Gauges
andERC20Boost
contracts have theERC20Gauges._burn
andERC20Boost._burn
functions, which are both internal, but thebHermesGauges
contract that inherits theERC20Gauges
contract and thebHermesBoost
contract that inherits theERC20Boost
contract do not have external or public functions that can call these internalERC20Gauges._burn
andERC20Boost._burn
functions. Thus, there are also no ways to burn these bHermesGauges and bHermesBoost tokens should the needs for burning such tokens, such as for burning these owned by thebHermes
contract, arise.https://github.com/code-423n4/2023-05-maia/blob/62f4f01a522dcbb4b9abfe2f6783bbb67c0da022/src/erc-20/ERC20Gauges.sol#L485-L488
https://github.com/code-423n4/2023-05-maia/blob/62f4f01a522dcbb4b9abfe2f6783bbb67c0da022/src/erc-20/ERC20Boost.sol#L302-L304
As a result, the functionalities for burning the bHermesVotes, bHermesGauges, and bHermesBoost tokens are unavailable even though the related functions, which are inaccessible externally, for burning these tokens do exist to indicate the needs for such functionalities.
Proof of Concept
The following steps can occur for the described scenario involving the
bHermesVotes
contract. The scenarios involving thebHermesGauges
andbHermesBoost
contracts are similar to this.bHermes
contract need to be burned according to the consensus reached by the protocol's users and admins.bHermesVotes.burn
function could be called to burn 1% of the minted bHermesVotes tokens owned by thebHermes
contract if thebHermes
contract can call such function.bHermes
contract does not have a function that calls thebHermesVotes.burn
function, thebHermesVotes.burn
function cannot be called at all. As a result, none of the minted bHermesVotes tokens can be burned, and the need for burning 1% of the minted bHermesVotes tokens owned by thebHermes
contract cannot be fulfilled.Tools Used
VSCode
Recommended Mitigation Steps
The
bHermes
contract can be updated to add a function, which is only callable by the trusted admins, that can call thebHermesVotes.burn
function. Similarly, functions, which are only callable by thebHermes
contract, that can call theERC20Gauges._burn
andERC20Boost._burn
functions can be added in thebHermesGauges
andbHermesBoost
contracts; then, thebHermes
contract can add functions, which are only callable by the trusted admins, that can call these new functions added in thebHermesGauges
andbHermesBoost
contracts. To be more restrictive, these new functions added in thebHermes
contract can be required to be only able to burn the bHermesVotes, bHermesGauges, and bHermesBoost tokens owned by thebHermes
contract.Yet, if the functionalities for burning the bHermesVotes, bHermesGauges, and bHermesBoost tokens are indeed not needed, then the
bHermesVotes.burn
function needs to be removed, and no new functions should be added in thebHermesGauges
andbHermesBoost
contracts to ensure that theERC20Gauges._burn
andERC20Boost._burn
functions would not be called.Assessed type
Other