Closed c4-submissions closed 10 months ago
raymondfam marked the issue as low quality report
raymondfam marked the issue as primary issue
Insufficient proof.
MiloTruck marked the issue as unsatisfactory: Invalid
_joinSystemCoins()
in repayAllDebt()
is meant to add to the proxy's internal coin balance since the proxy calls modifySAFECollateralization()
with itself as the _collateralSource
and _debtDestination
afterwards.
Lines of code
https://github.com/open-dollar/od-contracts/blob/67e5917e7dc0c16324aff3fde0298cd218a15152/src/contracts/proxies/actions/BasicActions.sol#L282-L310 https://github.com/open-dollar/od-contracts/blob/67e5917e7dc0c16324aff3fde0298cd218a15152/src/contracts/proxies/actions/BasicActions.sol#L374-L400
Vulnerability details
Impact
repayAllDebt
now calls_joinSystemCoins
withdest = address(this)
, which in case a proxy makes adelegated
call to this function will cause the user's tokens to be transferred to its proxy, then inCoinJoin.join()
it will transfer internal coins fromCoinJoin
to the proxy and will burn system tokens from the proxy, which will cause all previously transferred system tokens to be burned, which will make calling the whole function illogical because the token transfer will get messed up which will also mess up the user debt.Proof of Concept
As you may see
repayAllDebt
logic is also present inrepayAllDebtAndFreeTokenCollateral
but both functions do not make the same in terms of repaying all available debt.repayAllDebt
join the tokens to address(this) [user’s proxy], whenrepayAllDebtAndFreeTokenCollateral
join the tokens to_safeInfo.safeHandler
, as it right to be.Tools Used
Manual Review
Recommended Mitigation Steps
Assessed type
Context