The issue(bool isIrrevocable, address[] calldata users) method can be called by Governance to mint Soulbound tokens to users. In the case where the user has been issued a Revocable Soulbound token, but at the current moment has staked less than MINIMUM_STAKED_XVS, their token can get burned by anyone. An attacker can call xvsUpdated(address user), before the user has a chance to increase their stake and this will lead to the user's token getting burned.
Proof of Concept
The issue(bool isIrrevocable, address[] calldata users) method does not take into account user's staked XVS and xvsUpdated(address user) can be called by anyone.
Lines of code
https://github.com/code-423n4/2023-09-venus/blob/main/contracts/Tokens/Prime/Prime.sol#L331 https://github.com/code-423n4/2023-09-venus/blob/main/contracts/Tokens/Prime/Prime.sol#L373
Vulnerability details
Impact
The
issue(bool isIrrevocable, address[] calldata users)
method can be called by Governance to mint Soulbound tokens to users. In the case where the user has been issued a Revocable Soulbound token, but at the current moment has staked less thanMINIMUM_STAKED_XVS
, their token can get burned by anyone. An attacker can callxvsUpdated(address user)
, before the user has a chance to increase their stake and this will lead to the user's token getting burned.Proof of Concept
The
issue(bool isIrrevocable, address[] calldata users)
method does not take into account user's staked XVS andxvsUpdated(address user)
can be called by anyone.Steps
xvsUpdated(alice_address)
and deletes her Soulbound Revocable Token.Tools Used
Manual Analysis
Recommended Mitigation Steps
There are two possible mitigation steps and I will advise to implement both of them:
if (_xvsBalanceOfUser(user) < MINIMUM_STAKED_SVS) revert NotEnoughXVSStaked();
xvsUpdated(address user)
so it can be called only by XVSVault.solif (msg.sender != xvsVault) revert NotAuthorized();
Assessed type
Invalid Validation