Open c4-submissions opened 11 months ago
0xRobocop marked the issue as low quality report
If issue
should validate if a user has enough staking or not seems like a design decision.
Leaving for sponsor validation.
0xRobocop marked the issue as primary issue
0xRobocop marked the issue as high quality report
chechu marked the issue as disagree with severity
Consider QA
1) the motivation of the user to do this is low because the rewards are proportional to the XVS staked, so less XVS implies less rewards 2) there is a mechanism to fix this (unlikely) situation: execute a Critical VIP (only 7 hours of delay) to burn the token
If the user frontrun the issue function:
The issue function is only executed by Governance, and we tried to reduce the gas consumed to emit as many Prime tokens as possible in one transaction
chechu (sponsor) acknowledged
fatherGoose1 changed the severity to QA (Quality Assurance)
Agree with QA given the lack of incentives. The prime token will lack utility with lower XVS staked as the user won't accrue much rewards.
fatherGoose1 marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-09-venus/blob/main/contracts/Tokens/Prime/Prime.sol#L350-L352
Vulnerability details
Impact
Stated in the discord channel:
“What is the primary use of the issue function?
Issue the initial set of Prime tokens, to the users that were staking more than 1,000 XVS tokens for the last 90 days. Moreover, it will be used to issue the irrevocable tokens (the business criteria for issuing these irrevocable tokens are not defined yet)”.
A user can bypass these criteria by first becoming eligible to be issued a revocable token, then frontrunning the
issue
function and unstaking their XVS tokens (resulting in their staked XVS balance dropping below 1,000 XVS).Since the
issue
function lacks checks when minting a revocable token, the user would still receive a revocable token when theissue
function is executed, even though they no longer meet the qualification criteria (they no longer stake >= 1000 XVS tokens).Proof of Concept
Here is the coded scenario to illustrate the vulnerability
Tools Used
VsCode
Recommended Mitigation Steps
In
issue
function, add a requirement to check if a user has staked a sufficient amount of XVS tokens before minting to them a revocable tokenAssessed type
MEV