search

code-423n4 / 2023-10-ethena-findings

5 stars 5 forks source link

Having `FULL_RESTRICTED_STAKER_ROLE` can be frontrunned #134

Closed c4-submissions closed 1 year ago

c4-submissions commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-10-ethena/blob/ee67d9b542642c9757a6b826c82d0cae60256509/contracts/StakedUSDe.sol#L106

Vulnerability details

Impact

The protocol will not be able to stop the stolen funds, OFAC-sanctioned users

Proof of Concept

addToBlacklist -as per the NATSPEC- allows the owner (DEFAULT_ADMIN_ROLE) and blacklist managers to blacklist addresses.

However, the effects of having the role can be avoided by frontrunning the TX by the address being blacklisted. Accordingly, the address has options to frontrun the addToBlacklist function

  1. transfer() their tokens to their contract address
  2. Starting the cooldown period by calling cooldownShares. Since the stUSDe will be burnt in this TX, USDe will not have any troubles when withdrawing from the Silo.

Tools Used

Manual Review

Recommended Mitigation Steps

While the protocol doesn't implement blacklisting the users in USDe contract as the Circle does, the protocol might consider restricting withdrawals in the Silo contract OR addToBlacklist TX should be bundled in private mempools like the Flashbots.

Assessed type

MEV

c4-pre-sort commented 1 year ago

raymondfam marked the issue as low quality report

c4-pre-sort commented 1 year ago

raymondfam marked the issue as duplicate of #110

c4-judge commented 1 year ago

fatherGoose1 marked the issue as unsatisfactory: Invalid

c4-judge commented 1 year ago

fatherGoose1 marked the issue as not a duplicate

c4-judge commented 1 year ago

fatherGoose1 marked the issue as unsatisfactory: Invalid