Restriction Manager does not check the source address

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/token/RestrictionManager.sol#L28-L42

Vulnerability details

Impact

The detectTransferRestriction takes in all the necessary parameters:

  function detectTransferRestriction(address from, address to, uint256 value) public view returns (uint8)

However it only performs a check on the address to The restriction used here is timebased, however a user can continuing using, swapping, transferring and even redeeming their tranche tokens long after their restriction time has passed.

Proof of Concept

This is caused by the function below

    function hasMember(address user) public view returns (bool) {
        if (members[user] >= block.timestamp) {
            return true;
        }
        return false;
    }

    function detectTransferRestriction(address from, address to, uint256 value) public view returns (uint8) {
        if (!hasMember(to)) {
            return DESTINATION_NOT_A_MEMBER_RESTRICTION_CODE;
        }

        return SUCCESS_CODE;
    }

This function detectTransferRestriction checks only the destination, not the origin address

Tools Used

Manual review

Recommended Mitigation Steps

Implement checks for the from address

Assessed type

ERC20

[c4-pre-sort]

raymondfam marked the issue as low quality report

[c4-pre-sort]

raymondfam marked the issue as duplicate of #29

[c4-judge]

gzeon-c4 marked the issue as unsatisfactory: Invalid

[c4-judge]

gzeon-c4 marked the issue as not a duplicate

[c4-judge]

gzeon-c4 marked the issue as primary issue

[c4-judge]

gzeon-c4 marked the issue as duplicate of #779

[c4-judge]

gzeon-c4 marked the issue as satisfactory