search

code-423n4 / 2023-10-ethena-findings

5 stars 5 forks source link

FULL_RESTRICTED_STAKER_ROLE account that has funds in Silo will be able to withdraw #78

Open c4-submissions opened 1 year ago

c4-submissions commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-10-ethena/blob/main/contracts/StakedUSDeV2.sol#L78-L90

Vulnerability details

Proof of Concept

In case if account is sanctioned, then owner BLACKLIST_MANAGER_ROLE can blacklist such account and mark it as FULL_RESTRICTED_STAKER_ROLE.

In this case account can't do anything with its funds anymore and they can be confiscated.

Of course, user can frontrun this tx in order to avoid block and transfer his funds to another account. Protocol team say that this will be fixed by using flashbots relay to hide tx, so attacker can't frontrun it.

StakedUSDeV2 contract has cooldownDuration period. This means that when account redeems or withdraws, then redeemed funds are first sent to the silo contract and only when cooldownDuration period will pass, then user will be able to withdraw funds. StakedUSDeV2.unstake function nor silo contract doesn't check if user has BLACKLIST_MANAGER_ROLE and just allow withdraw.

Because of that it's possible that sanctioned account will try to withdraw from StakedUSDeV2 before he is marked as BLACKLIST_MANAGER_ROLE and his fudns will go to the silo contract. Some time after, protocol will receive info that account is sanctioned and will mark it as BLACKLIST_MANAGER_ROLE, but this will not lock funds and sanctioned attacker will be able to withdraw them.

Impact

Sanctioned account have ability to save funds.

Tools Used

VsCode

Recommended Mitigation Steps

Make unstake function check if account is BLACKLIST_MANAGER_ROLE. And also create function similar to redistributeLockedAmount that can transfer locked assets from silo to another address.

Assessed type

Error

c4-pre-sort commented 1 year ago

raymondfam marked the issue as sufficient quality report

c4-pre-sort commented 1 year ago

raymondfam marked the issue as duplicate of #62

c4-judge commented 1 year ago

fatherGoose1 marked the issue as not a duplicate

fatherGoose1 commented 1 year ago

Valid design recommendation, but does not violate business logic of the Ethena system.

c4-judge commented 1 year ago

fatherGoose1 changed the severity to QA (Quality Assurance)

c4-judge commented 1 year ago

fatherGoose1 marked the issue as grade-b