search

code-423n4 / 2023-09-centrifuge-findings

16 stars 14 forks source link

Expired members can lose their tranche tokens if they call `transferTrancheTokensToCentrifuge` or `transferTrancheTokensToEVM` in `PoolManager.sol` #775

Closed c4-submissions closed 1 year ago

c4-submissions commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/PoolManager.sol#L149-L163 https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/PoolManager.sol#L136-L147

Vulnerability details

Impact

User can call transferTrancheTokensToCentrifuge or transferTrancheTokensToEVM to transfer their tranche tokens to other chains, but no verifying is done to see if they are expired members or not on the source chain, which can cause loss of funds for some users.

Proof of Concept

The function handleTransferTrancheTokens that is called on the destination chain is verifying if the receiver address is a expired or active member https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/PoolManager.sol#L272-L275 but no checks are done on the source chain when the transfer is made https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/PoolManager.sol#L136-L147 https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/PoolManager.sol#L149-L163 which can lead to loss of funds for a user which membership has expired and he doesn't know. Since the member system is time-based, users can get expired and still call transferTrancheTokensToCentrifuge or transferTrancheTokensToEVM which will burn their tokens, but the transfer will be blocked on the destination chain, causing loss of funds for the users.

Tools Used

Manual review

Recommended Mitigation Steps

Consider checking for active members in the source chain transfer functions also to mitigate the loss of funds for the users.

Assessed type

Other

c4-pre-sort commented 1 year ago

raymondfam marked the issue as low quality report

c4-pre-sort commented 1 year ago

raymondfam marked the issue as duplicate of #151

c4-judge commented 1 year ago

gzeon-c4 marked the issue as unsatisfactory: Invalid